Alexander Polyakov and Mathieu Geli of ERPScan presented some interesting research on vulnerabilities in ERP application software that could be used to attack ICS last week at BlackHat Europe in Amsterdam.
In particular, the researchers have discovered vulnerabilities in SAP xMII system, SAP Plant Connectivity, SAP HANA, Oracle E-Business Suite platform and some widely used OPC servers such as Matricon[sic] OPC. Configuration issues and these vulnerabilities can be used to conduct a multi-stage attack and get access to connected systems which are like a bridge between corporate and industrial network.
This is an opportunity to highlight a number of important principles:
- All communication through the cyber security perimeter introduces some risk. When putting in a cyber security perimeter, many organizations just identify the communication taking place between the corporate network and ICS and allow it through the firewall without considering the risk.
- There should be no direct connections between the trusted ICS and the untrusted corporate network. This data transfer should be mediated through a DMZ. This does not mean all exploits of these vulns could not reach the ICS, but many would be stopped and all would require an additional hack before reaching the ICS.
- There are a large and increasing number of methods to pass ICS data to an ERP. The preferred method is to push the data out from the ICS to the DMZ, and then push the data out from the DMZ to the ERP on the corporate network. In the best case this would have different protocols between the ICS and DMZ and the DMZ and ERP, and each protocol would require only one TCP port be allowed through the firewall.
By no means am I advocating to prevent ICS data from being shared with ERP systems. The value of ICS data is just beginning to be identified and used for purposes beyond the real time monitoring of the process. If done correctly this is far from the largest risk in almost all ICS installations today.