Three Post-EOL Fixes for Windows XPMicrosoft has issued emergency critical cybersecurity updates to Windows XP upon three separate occasions since it entered its end of life. These updates included fixes for the following:
- Vulnerabilities identified in Internet Explorer for all versions of Windows in May 2014.
- Vulnerability leveraged by WannaCry ransomware in May 2017 that to this day is wreaking havoc across the Internet.
- Vulnerability (CVE-2019-0709) in Remote Desktop Protocol that allows for remote code execution against numerous versions from Windows 2000 to Windows 7.
Why Is This important for Industrial Control Systems?For many years, Windows XP and Windows XP Embedded have been critical components to many industrial control systems. XP is the operating system for various SCADA and HMI software packages found throughout every industrial vertical. In the recent past, ransomware like WannaCry have taken entire production facilities to a grinding halt. How much does a minute or an hour of downtime cost? How do you know how many of Windows XP or Windows XP Embedded exist within your control environment? If you were able to concretely identify where and how many, do you know if Remote Desktop Protocol (RDP) is being used or is needed to run your control system? Also, do you know if there are protective controls in place to mitigate the risk of the propagation of malware or ransomware that might take advantage of the BlueKeep (aka Dejablue) vulnerabilities? Protective controls would include activities like disabling RDP if it is not needed and configuring network access controls through network segmentation to limit the exposure of where RDP could traverse your control networks.
What Should You Do to Defend Against BlueKeep?Fundamentally, there are two realistic options to mitigate this potential risk from BlueKeep. These include the following:
- Patch all of your Windows XP instances across your entire environment, assuming:
- The patch will not impact operation of HMI, SCADA or automation vendor software packages from operating.
- There is an accurate inventory of all of the Windows XP images throughout the control environment.
- Implement foundational protective controls
- Device hardening by disabling the use of RDP, if it is not required
- Perform network segmentation assuming some level of RDP is required to be run
- Deny all RDP communication from the Internet and Corporate IT at OT border routers and firewalls.
- Only limit which devices are able to RDP into the control networks to manage the XP instances running workstations and HMI/SCADA packages.
How to Maintain an Accurate Asset Inventory?Tripwire has a number of different ways to help our customers know what is on their control networks. It’s important to first understand that we have multiple ways to collect raw data and transform it into actionable information. Our techniques include:
- Active collection capabilities where we query devices through their native industrial protocols such as Modbus TCP or Ethernet/IP CIP,
- Passive collection capabilities where we can analyze network traffic through the use of a mirror port on a switch
- Hybrid collection capabilities where we harvest data from applications that already have the data like MDT Autosave or Rockwell Automation FactoryTalk AssetCentre and,
- Integrated collection capabilities through the use of hardware for compute modules within firewalls and sensor technology inside switches.
What’s Next After Asset Inventory? Visibility, Protective Controls and Continuous MonitoringWhile asset inventory is an aspect of visibility, there are other important components that will not only help you keep your control network secure against threats like BlueKeep but will also keep your control network and industrial process operational, thereby driving productivity, quality, and safety. Other areas of visibility include:
- Vulnerabilities – Every device on the network, including hardware and software.
- Device log information – Operational faults, failed login attempts, network errors, duplex mismatches, master clock issues, etc.
- Configuration changes – Engineering workstations, controllers, HMI’s, historians, switches, routers, firewalls, etc.
- Network Segmentation – Tofino Security appliances enable robust network segmentation (the practice of organizing networks in smaller segments or zones and explicitly permitting only the network communication required for the industrial application), so that applications or devices can be separated.
- Device Hardening – Ensure all devices including HMI, SCADA, engineering workstations, switches and routers are configured to industry cybersecurity best practices and frameworks, examples include IEC 62443, NIST SP 800-82, or NERC-CIP.
- Understanding when controller modes or configurations have been changed that do not map to authorized work orders.
- Knowing if a rouge asset has been connected to the network and is propagating malware or making connections to external networks.
- Monitoring engineering workstations and SCADA servers to ensure correct configuration against internal build specifications or a selected cybersecurity framework.