Forescout’s Vedere Labs has released its latest research report, the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level – known as Purdue level 1 or L1 – of OT networks.
Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.
This research exposes the volume of “network crawl space”: space that is not on asset owners’ radars, such as links that run between security zones at deep system levels that might not receive the attention they deserve. To close these gaps, an L1 device that sits between segments still needs a corresponding perimeter security profile.
Key research findings
OT L1 devices such as PLCs are notoriously insecure. RCE has been demonstrated against many of them using techniques such as insecure engineering interfaces (see OT:ICEFALL), malicious logic or firmware downloads and memory corruption vulnerabilities (see Project Memoria). Additionally, malware such as TRITON has shown that real-world threat actors are both capable of and interested in developing such capabilities.
Regardless, L1 devices that sit at the intersection of multiple, mixed networks (from Ethernet and fieldbuses to industrial wireless and trunked radio) are frequently treated as security perimeters. However, they lack the hardening and risk profiles that would accompany workstations or servers in a similar position. Worse yet, vendor and regulatory guidance may implicitly support this practice.
This issue has become more pertinent with the rise of the industrial Internet of Things (IIoT), where gateways enable direct communications between L1 devices on the edge and cloud platforms, potentially exposing this soft underbelly beyond the traditional hardening at the intermediate Purdue levels.
How deep lateral movement enables attacks
Deep lateral movement can enable attackers to achieve outcomes otherwise impossible. Attackers might use this technique for two main reasons:
- Perimeter crossing. Attackers may need to move around hardened or across unacknowledged perimeters. A common example of zone-crossing at level 1 is the interaction between the basic process control system – which directly controls the industrial process being automated – and a safety instrumented system – which is responsible for safety, emergency procedures and bringing the industrial process to a safe state. Another underestimated perimeter in OT is the one regulated by fieldbus couplers. Couplers are very limited gateways that move specific sets of input/output values between two different fieldbuses and are often used as perimeters between asset owners and third-party managed systems.
- Granular control. Deep lateral movement may be used to establish more granular control over specific systems by interacting with nested devices in a way not possible through what is intentionally exposed. To bypass functional and safety limitations or reach deeply nested devices, attackers may have to move through multiple L1 devices first.
Schneider Electric Vulnerability Disclosure
In the proof-of-concept developed for this research, Vedere Labs used two new vulnerabilities that are today being publicly disclosed for the first time: CVE-2022-45788 and CVE-2022-45789. They allow for remote code execution (RCE) and authentication bypass, respectively, on Schneider Electric Modicon programmable logic controllers (PLCs) – one of the most popular families of PLCs in the world, used in several critical infrastructure sectors.
These issues were found as part of Vedere Labs’ OT:ICEFALL research in 2022 but were not disclosed then at the request of the vendor. More details about the issues are available on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06
The Schneider Electric Modicon family of PLCs is one of the most popular in the world. In fact, Modicons were the first PLCs on the market when introduced in 1968. The popularity of these devices has led their targeting by threat actors. As a part of the recent wave of hacktivist attacks targeting OT, the GhostSec group targeted an exposed M340 belonging to the Nicaraguan ISP UFINET by writing the value 0 to all its Modbus registers.
The newly uncovered issues, summarized below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme. As the technical report explains, when combined, these vulnerabilities can lead to RCE on Modicon Unity PLCs.
Note that while Schneider Electric describes CVE-2022-45788 as relating to downloading malicious project files, this vulnerability actually operates on a completely different – undocumented – set of functionality that allows for modifying internal PLC memory without affecting the PLC run state or requiring a project download.
As noted, Modicon PLCs are extremely popular and widely used around the world. Estimating the number of affected devices based on public data is difficult because these devices are not supposed to be accessible via the internet. However, we are still able to see close to a thousand PLCs exposed online via Shodan, predominantly in the power industry (44%), followed by manufacturing (19%) and agriculture (15%). We found multiple instances of public subnets, likely used by system integrators or contractors, exposing Modicon PLCs for different power generation projects.
For full details on the estimated number of affected devices by country and industry – including close to 30 devices mapped to critical infrastructure operators – read the new technical report.
For mitigation of CVE-2022-45788 and CVE-2022-45789, follow the steps on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06.
Mitigation recommendations
The all-too-common habit of treating certain links – such as serial, point-to-point, radio frequency and couplers – as if they’re immune to many of the same issues that are seen on regular Ethernet LAN networks is something that needs to be critically re-evaluated.
The impact of a compromised device is not limited to the explicit capabilities of a link or its first-order connectivity. Just because it only exposes a few Modbus registers or is hooked up to an uninteresting device does not mean that an attacker cannot turn that link into something else and use that uninteresting device as a staging point for moving towards more interesting targets.
With the access attackers achieve through deep lateral movement, things that magnify the impact of an attack become possible.
Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels and hardening the most interconnected and exposed devices.
The following mitigation strategies for hardening L1 devices and networks:
- Disable unused services on devices. For instance, if UMAS over Ethernet is not required on a PLC, disable it. Even if the PLC is nested, as Vedere Labs showed in this report how attackers can leverage vulnerabilities on nested devices.
- Use DPI firewalls and IP-based access control lists to restrict sensitive flows between engineering workstations and PLCs. In cases where only subsets of protocols are required, use deep packet inspection (DPI) to restrict this further.
- From a forensics perspective, ingest level 1 event logs which contain indicators of malicious activity of this kind.
- Enforce segmentation through OT-DPI firewalls and/or conformance-checking gateways including for point-to-point links.
- Depending on the risk, certain point-to-point links that cross highly sensitive segments might warrant dedicated drop-in DPI firewalls for Ethernet. For serial links with similar profiles, you might want to consider inline taps that collect data out-of-band.
