ODVA, the organization in charge of the EtherNet/IP protocol responds to the Project Basecamp Metasploit module and payloads that take advantage of the protocol’s lack of authentication to reboot or completed stop the device. It basically says yes this is true because EtherNet/IP is “an open protocol”, and you should follow ICS-CERT and ODVA guidance on good security practices to stop the bad guys from getting to an EtherNet/IP device.
On one hand it is unrealistic to expect a membership based organization to have a quick response to any news. They discuss the possibility to “work with its members to evaluate potential security enhancements to the specification that can address these and other emerging risks”. On the other hand, it is very embarrassing that they have known the Basecamp and many other attacks are possible on this “open protocol” for years and have chosen to do literally nothing. One of the goals of Basecamp is to finally start the process of security PLC’s and other field devices, so you will hear nothing but praise from us if they use this opportunity to quickly start and expeditiously work to add security options to the protocol.
Dear ODVA members,
You may be aware that today a security consulting firm called Digital Bond released plug-in modules for the Metasploit Framework that expose specific security vulnerabilities in industrial control systems using EtherNet/IP™. ODVA is responding to this issue, and below you will find information that we will be providing to industry as a first step.
If you receive any inquiries related to this issue, please feel free to contact me directly on firstname.lastname@example.org.
Today, Digital Bond released plug-in modules for the Metasploit Framework that expose specific security vulnerabilities in industrial control systems using EtherNet/IP™.
EtherNet/IP was engineered as an open protocol with the express intent to improve interconnectivity and the integration of industrial control products from multiple vendors. As a result, the potential exists that certain protocol attributes can be mis-applied in a way that can disrupt operation and affect availability of products in an EtherNet/IP system. These types of vulnerabilities and potential attacks on open protocols are not unique to EtherNet/IP; nonetheless ODVA shares in the particular concerns raised by this event because of EtherNet/IP’s widespread use in critical industrial control systems and other mission critical applications.
We live in a new era in industrial automation – one where the need for greater connectivity and information integration between network systems leads to new risks and threats to industrial control systems connected to business systems and the Internet.
The response from the industry should be threefold. ODVA, as the steward of the EtherNet/IP open network specification, will work with its members to evaluate potential security enhancements to the specification that can address these and other emerging risks. Vendors designing products that use EtherNet/IP can help ensure that products follow good design practices and are hardened against common security vulnerabilities. Equally important, end users and machine builders must do their part in adopting security programs that include policies and training of those who come in contact with the system design. Users also should work with their vendors to determine if their control system assets are affected, as the Metasploit modules do not impact all EtherNet/IP devices or system configurations.
ODVA recommends that all industrial control systems employ sound security practices that include layered security and defense-in-depth strategies in the network design. Specific measures such as industrial firewalls, strong authentication, intrusion detection/intrusion prevention systems and end-point security software such as antivirus and antimalware software should also be used to help reduce security risks to industrial control systems.
ODVA remains committed to evolving as the needs of the industry change. For additional background on the importance of industrial security and how to help enhance security in EtherNet/IP systems visit: http://www.odva.org/Portals/0/Library/Publications_Numbered/PUB00269R0_ODVA_Securing_EtherNetIP_Networks.pdf.
ODVA also advises its members to remain informed regarding security recommendations from such bodies as the US Department of Homeland Security – ICS CERT. Links to ICS-CERT recommendations can be found at http://www.us-cert.gov/control_systems/ics-cert/.
Image by Rajiv Patel