And Still Awaiting Calls To Replace Unauthenticated Protocols
Today Dragos released information on ICS malware they are calling FrostyGoop. The key lines from the release are:
“It is the first ICS-specific malware that uses Modbus communications to achieve an impact on operational technology (OT).” … “A “mode” option that correlates to a Modbus command to execute on the ICS device (Read Holding Registers, Write to Single Holding Register, Write to Multiple Holding Registers)”
This is not attack code. It is a Modbus client sending legitimate, properly formed commands to a Modbus server. The longstanding, widely used Modbus TCP protocol lacks authentication. There is no bug that is being exploited. It’s working exactly as designed.
If an attacker gains access to a PLC, RTU, Controllor, or other Level 1 device that is running an unauthenticated control protocol, then the attacker can do whatever they are smart enough to figure out and the i/o and safety/protection allow.
The report’s Guidance for Dragos’ Customers section has a list of seven IDS rules for Modbus traffic. It’s amusing, and sad, that most of these are the same simple rules we (Digital Bond) released in August of 2004. Sad because 20 years later Modbus TCP without authentication was still used.
The Dragos Report is another example of why we haven’t seen progress. What they have for remediation is not wrong, although unsurprisingly detection is emphasized, it’s incomplete. It’s missing the remediation that addresses the core problem: the ICS control protocol is unauthenticated.
There’s a solution: Modbus/TCP Security. Where is the recommendation to upgrade to Modbus/TCP Secure or another secure control protocol? We now have CIP Secure, OPC UA, BACnet Secure and other authenticated protocols.
Yes, this is not something that can be done quickly in most cases. It is something that can or must be done unless we want to live another two decades in a world where access to ICS = compromise with the hope that detection and response can limit the consequences.
Dragos is a convenient target for this rant since they reported out ICS malware leveraging the unauthenticated Modbus protocol. My real ire, since at least 2012 with our Project Basecamp, is with the US Government, DHS, now CISA. This core problem gets little attention, no bully pulpit.
When it is mentioned it is in a long list of security controls and now under the secure by design banner. So many of those security recommendations, while not wrong, will have almost no impact until this core problem is addressed.
It’s not difficult to say all new ICS should be deployed with authenticated protocols. It’s not difficult to say all existing ICS in critical infrastructure should have a program to migrate to authenticated protocols.
Can FrostyGoop be a trigger to begin prioritizing this long standing, core problem.