A SCADAfence New Feature report The first question we’re usually asked by any CISO who wants to increase their OT security posture is about asset visibility and management. Gathering a comprehensive and accurate inventory of all the devices attached to an OT network is often the primary need driving an organization to seek assistance, and the biggest barrier to achieving their goals for security and compliance. It’s the right question to be asking, and the best place to start.

Thanksgiving – when families get together and express gratitude for everything they have, accompanied by good food and hopefully great football. For most families and network security teams who just feel like family, this is a great time for looking back and evaluating the past year and giving thanks for how far we’ve come. 

Psst….Don’t look now, but the global economy might be entering a recession. Yeah, yeah, you already know that. Everyday you’re reading about tech industry layoffs, stock market dips, and general economic belt-tightening.

What does this mean for your OT security budget? Should you consider making cuts now to save your organization money?

The Cyber Kill Chain is a framework that outlines the stages of common cyberattacks and the points in the process at which attacks can be detected or intercepted. Developed by Lockheed Martin, this model contains seven phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objective.

If you are the person in your  organization responsible for securing an OT network, you are probably feeling very popular these days. Your inbox is no doubt full of emails inviting you to ‘hop on a call’ or ‘download now’ or ‘schedule a demo’. Each one promising that they have the best OT cyber security solution. There’s an absolute glut of options right now, and the choices are growing at a rapid pace. What’s a CISO to do? What options are the most important? What features do you look for in a comprehensive OT solution?

Multiple factions of the hacker group known as “Anonymous” have banded together to carry out coordinated cyber attacks targeting Iran as retaliation for the deaths of multiple young women in Iran who were protesting the circumstances surrounding the death of Mahsa Amini.

Why Do You Need Operational Network Security?

Modern operational technology (OT) networks are evolving due to developments such as the rise Industrial Internet of Things (IIoT), Industry 4.0, smart grid and more. In order to remain  competitive in their industries, organizations are adopting these beneficial technologies to optimize their operations and significantly cut operational costs.

These new technologies increase the connectivity and the complexity of operational environments, and as a result, their exposure to potential OT cyber attacks or damage caused by human error increases significantly. In the past, operators trusted network segmentation, isolation, or air-gapping as an effective security measure. But due to the increasing connectivity between the OT, IT and other networks, this is no longer true. Therefore adhering to OT security best practices, and deploying the most advanced OT security tools is critical for the protection, visibility, and control of OT environments.

A SCADAfence New Feature report

“Could we be next?”  

One of the biggest challenges for an industrial OT/ICS security professional is figuring out if their organization is vulnerable to the latest announced strain of ransomware.  Reports of new OT security breaches and ransomware attacks being released every day it can be hard to know which ones are a concern to your organization, and which ones you can safely ignore.  While it’s important to remain prepared, it’s equally important not to create a false sense of urgency. What you need to remember is that although attacks are commonplace, they are often very specific. Not every threat pertains to every OT network setup. Malicious actors carry out attacks by targeting known vulnerabilities on specific devices. If your facility doesn’t use that device, you are less vulnerable to that attack. But with so many attacks happening daily, keeping track of which ones are a threat to your organization is a challenge.

Introducing “Tailored Threat Intelligence”

The SCADAfence platform now allows you to receive a feed of the latest industry news and intelligence customized specifically to your OT network containing only information relevant to your organization. Every time a new attack report is released, it is analyzed and curated by the SCADAfence Research Team. The information, including signatures and attack insights is added to the industry event database along with detailed explanations and recommendations on minimizing each risk. Then a custom news feed is delivered to each client, with only information that is relevant to you and your organization. The context delivered by SCADAfence’s Tailored Threat Intelligence provides valuable knowledge about each event, such as the types of assets being attacked, from which vendors, and the protocols being used. For each alert, SCADAfence Platform can determine the level of relevancy per customer based on the customer’s site details, asset inventory and network traffic. As a result, the SCADAfence Tailored Threat Intelligence provides users with a well-organized list of relevant industry news, each prioritized by a relevancy score, and actionable recommendations on what can be done to reduce the risk from the event.

Your fully customized and prioritized SCADAfence Threat Intelligence Feed.

SCADAfence’s automated threat updates and prioritization are a breakthrough for increasing your efficiency of the response to industrial cyber security events. It improves your ability to know which industry events are relevant, reduce risk and respond effectively without wasting valuable resources.

Summary of Benefits of Tailored Threat Intelligence

• Industry-specific security events are analyzed by SCADAfence’s Research Team, and tailored to your needs.  Save time by not having to wade through irrelevant information.
• You’ll understand the relevancy to your organization of each reported cyber attack
• Helps your organization avoid a false sense of urgency from ransomware attacks not relevant to your organization’s deployed devices.
• Provides a custom relevancy score for each event
• Dramatically reduces the need for manual review of each new reported threat.
• Feed is constantly updated through the SCADAfence cloud

Alerton, a subsidiary of Honeywell, is a major manufacturer of building management systems for heating, ventilation, and air conditioning (HVAC). SCADAfence’s research team discovered vulnerabilities that lead to NIST issuing the first CVEs ever assigned to Alerton products. Left without proper security measures, these vulnerabilities could lead to major disruptions in any facility where they are deployed.

This is a technical report on how our research team discovered these vulnerabilities.

Alerton Ascent Suite

Alerton Ascent is a suite of controllers, devices, and software used for building management specifically in regard to HVAC. The Ascent product suite is deployed in buildings, server rooms, chemical labs, hospitals and more, with the purpose of maintaining the appropriate air flow and safe temperature required for a room’s or space’s specific need.

The Alerton Suite is made up of many different components. For example, in the research we conducted the Alerton Ascent network comprised:

1. Alerton Ascent Control Module (ACM) – Main controller
2. VLC-853 – Field controller
3. Alerton Compass – Management and Control Tool
4. Visual Logic – Programming Tool

As seen in the topology map, an ACM is connected to a VLC-853 device over a serial port. The Compass software and Visual Logic software have access to the ACM over ethernet via a network switch.

Any user, innocent or malicious, can access the various Alerton devices and software either locally or remotely via the network switch, assuming that there are no extra security tools providing network protection (such as an FW or switch port security).

The resulting effect of a malicious user gaining access to the Ascent Suite can result in a degradation of credibility, integrity, and availability of the BMS as a whole.

Configuration Change for Alerton ACM

The Compass software provides the ability to configure the ACM. This configuration includes setting IP values, enabling or disabling specific ports, defining which networking protocols are active and more. In general, the configuration is set when the system is installed and is rarely changed thereafter.

The Attack – CVE-2022-30242 and CVE-2022-30245

Two of the CVEs that were disclosed, CVE-2022-30242 (cvss 3.x score of 6.8) and CVE-2022-30245 (cvss 3.x score of 6.5), are vulnerabilities discovered which allow for configuration changes to be made outside of the Compass Software without any authorization or authentication. In addition, the configuration changes that were performed are relayed to the Compass Software, leaving the system operator unaware that a change to the configuration occurred.

The following is a Wireshark partial capture showing how the configuration data is sent over the network from the Compass Software to the ACM:

As seen in the traffic snippet above from Wireshark, the configuration is sent to the ACM in ASCII characters and in cleartext with no obfuscation and minor difficulty in understanding or changing the configuration data.

By extracting the whole configuration from the network traffic, and setting the MSTP0 ENABLE field to N, we can simply disable the COM0 port from any computer with access to the ACM.

As a result of sending a specially crafted packet with the above change, the configuration of the ACM changed, and COM0 was set to disabled, disconnecting the VLC-853 controller from the ACM:

While successful changes in the configuration occurred, the Device Configuration window still indicates to the operator that COM0 is enabled:

In a real life scenario, this can have significant and/or tragic effects.

Having this vulnerability leveraged in a real life setting can cause connectivity issues or undefined behavior of the entire network. In the example above, COM0 was disabled, which resulted in the VLC-853 to be cut out of the network.

If the VLC-853 was responsible for ensuring that a cloud storage server room was properly cooled, operators who notice that VLC-853 is not communicating with the ACM and also are unaware that a configuration change occurred, may be compelled to shutdown the server farm out of fear of the servers overheating causing major disruptions for numerous services worldwide.

This is obviously a single example for a single change in configuration. Any number of other changes can have similar, troubling effects.

Programming Changes for Alerton Controllers

Programming management for Alerton Controllers is done using an Alerton proprietary plug-in for Microsoft Visio called Visual Logic. Programs written in using Visual Logic use diagrams to display the program in a visual manner as seen below:

Programs are written, pushed to controllers and run by engineers whose task it is to define the programmatic logic of the controller necessary for it to perform its specific role in the network.

Programs are written and edited on an as-needed basis and are not accessed frequently so long as the target device is fulfilling its intended purpose.

The Attack – CVE-2022-30243 and CVE-2022-30244

In our research, we successfully wrote a program to an Alerton ACM device without authorization or authentication. In addition, the Visual Logic software did not provide an indication that a programming change occurred or that there is a difference in the program saved in the engineering software to that actually running on the ACM. This leaves an operator clueless as to why a controller has malfunctioned, changed its activity or stopped processing altogether.

This resulted in the disclosure of two CVEs, CVE-2022-30243 (cvss 3.x score of 8.8) and CVE-2022-30244 (cvss 3.x score of 8.0)

The packet sequence for writing a program to the ACM is a set sequence of Bacnet commands and is listed, in order as follows:

With the exclusion of ADD_CODE_BLOCK_PACKET, all of the commands above are static, constant BACnet packets with a dynamic parameter of invoke ID. Being a BACnet system, there are no authorization checks to ensure that the commands being sent are from a reliable and authorized source.

An attacker who has network access to any of the Alerton controllers can send a maliciously crafted program, using the above sequence of commands, to change a program on the target controller. This is done without the knowledge of an operator, as there is no indication of a program change in the Compass software or the Visual Logic Programming Visio plug-in.

The following image is a diagram of the program that we pushed to the controller in the previous section; however, an additional component was added and pushed to the controller from a third-party computer with no access to the Visual Logic software:

The only indication that a programming change occurred is by clicking the Read from Device button as seen in the image below, and comparing the downloaded program to that which is stored on the engineering station:

As with the configuration change vulnerabilities, if these vulnerabilities are leveraged on an Alerton controller in a real-life, production network the effects can be catastrophic.

If a controller is managing the air flow in a chemical lab, and a program is written to the controller that essentially renders it useless for its current purpose (either by sending a stub program, or sending a program that does not fulfill the air flow requirement), anyone in the lab could potentially be in life threatening situation.

The potential scenarios that can occur by taking advantage of these vulnerabilities are endless, and can be very serious and even lethal.

Full details on the CVEs can be found on the official NIST website:
https://nvd.nist.gov/vuln/detail/CVE-2022-30242

https://nvd.nist.gov/vuln/detail/CVE-2022-30243

https://nvd.nist.gov/vuln/detail/CVE-2022-30244

https://nvd.nist.gov/vuln/detail/CVE-2022-30245

In response to SCADAfence’s findings, Honeywell issued a Product Security Bulletin informing Alerton ACM Controller users of the vulnerabilities.

To learn more about how the SCADAfence Platform can protect your OT network, visit our website or request a demo.