Mitigating Risk and High-Risk Vulnerabilities in Unsupported Operating Systems: BlueKeep Edition

How many times has a vendor released a critical cybersecurity patch for an operating system that is in “end of life” (EOL), or the lifecycle period where the vendor no longer issues patches for bug fixes, operational improvements and cybersecurity fixes free of charge? So if a vendor takes the time and resources to break this freeze and issue a patch for an EOL operating system like it did in response to BlueKeep, what does it tell you? One thought is that if the vendor is going to take the time and energy to do this, there must be a really good reason to do so. That is, there must be some high level of confidence and certainty that a mass propagation of malware, worms or ransomware could have the potential to negatively affect the remaining global landscape of the legacy operating system, especially those that function in critical infrastructure and medical environments. It is important to understand that this dilemma faces every operating system or software application. When and why do we patch something after it is outside of its range of normal support or maintenance cycles? This is not just isolated to Windows or Windows XP. That being said, Windows XP is unique in that it still has a large worldwide footprint 18 years after becoming generally available to the market in October 2001. Windows XP entered its EOL term on April 14^th, 2014, and Windows XP Embedded entered its end of life on January 12, 2016.

Three Post-EOL Fixes for Windows XP

Microsoft has issued emergency critical cybersecurity updates to Windows XP upon three separate occasions since it entered its end of life. These updates included fixes for the following:

1. Vulnerabilities identified in Internet Explorer for all versions of Windows in May 2014.
2. Vulnerability leveraged by WannaCry ransomware in May 2017 that to this day is wreaking havoc across the Internet.
3. Vulnerability (CVE-2019-0709) in Remote Desktop Protocol that allows for remote code execution against numerous versions from Windows 2000 to Windows 7.

As you can see, Microsoft feels that patching CVE-2019-0709 is extremely important as it allows an attacker to perform remote code execution against a number of Windows platforms including legacy platforms like Windows 2000 and XP. Remote code execution is the piece of a vulnerability which would allow a worm or malware to spread from one machine to another over a network. Microsoft probably would not patch these bugs for their legacy OSes if they did not allow for remote code execution.

Why Is This important for Industrial Control Systems?

For many years, Windows XP and Windows XP Embedded have been critical components to many industrial control systems. XP is the operating system for various SCADA and HMI software packages found throughout every industrial vertical. In the recent past, ransomware like WannaCry have taken entire production facilities to a grinding halt. How much does a minute or an hour of downtime cost? How do you know how many of Windows XP or Windows XP Embedded exist within your control environment? If you were able to concretely identify where and how many, do you know if Remote Desktop Protocol (RDP) is being used or is needed to run your control system? Also, do you know if there are protective controls in place to mitigate the risk of the propagation of malware or ransomware that might take advantage of the BlueKeep (aka Dejablue) vulnerabilities? Protective controls would include activities like disabling RDP if it is not needed and configuring network access controls through network segmentation to limit the exposure of where RDP could traverse your control networks.

What Should You Do to Defend Against BlueKeep?

Fundamentally, there are two realistic options to mitigate this potential risk from BlueKeep. These include the following:

1. Patch all of your Windows XP instances across your entire environment, assuming:
   • The patch will not impact operation of HMI, SCADA or automation vendor software packages from operating.
   • There is an accurate inventory of all of the Windows XP images throughout the control environment.
2. Implement foundational protective controls
   • Device hardening by disabling the use of RDP, if it is not required
   • Perform network segmentation assuming some level of RDP is required to be run
     • Deny all RDP communication from the Internet and Corporate IT at OT border routers and firewalls.
     • Only limit which devices are able to RDP into the control networks to manage the XP instances running workstations and HMI/SCADA packages.

As there is not a single silver bullet to mitigate the risks associated with BlueKeep, the best option is to do a combination of both as one can be a check and balance for the other. The success of either option has a common denominator, an accurate asset inventory. You can’t patch for BlueKeep, you can’t disable services and you can’t segment your network for assets that you do not know you have. What’s important is that doing nothing cannot be an option. Use this opportunity to either begin a cybersecurity journey or enhance your current program. BlueKeep is just one of many more vulnerabilities that will be targeted towards industrial control environments, so leverage efforts used against BlueKeep to help against the next big one. Don’t let these efforts go to waste.

How to Maintain an Accurate Asset Inventory?

Tripwire has a number of different ways to help our customers know what is on their control networks. It’s important to first understand that we have multiple ways to collect raw data and transform it into actionable information. Our techniques include:

1. Active collection capabilities where we query devices through their native industrial protocols such as Modbus TCP or Ethernet/IP CIP,
2. Passive collection capabilities where we can analyze network traffic through the use of a mirror port on a switch
3. Hybrid collection capabilities where we harvest data from applications that already have the data like MDT Autosave or Rockwell Automation FactoryTalk AssetCentre and,
4. Integrated collection capabilities through the use of hardware for compute modules within firewalls and sensor technology inside switches.

In order to create and maintain holistic visibility to an accurate inventory, you will likely need all four capabilities, as there will be certain parts of your network where only one collection capability is possible.

What’s Next After Asset Inventory? Visibility, Protective Controls and Continuous Monitoring

While asset inventory is an aspect of visibility, there are other important components that will not only help you keep your control network secure against threats like BlueKeep but will also keep your control network and industrial process operational, thereby driving productivity, quality, and safety. Other areas of visibility include:

• Vulnerabilities – Every device on the network, including hardware and software.
• Device log information – Operational faults, failed login attempts, network errors, duplex mismatches, master clock issues, etc.
• Configuration changes – Engineering workstations, controllers, HMI’s, historians, switches, routers, firewalls, etc.

Once visibility is achieved across all of those spectrums mentioned above, you can take the guessing game of what protective controls to implement out of the question. Whether you are adopting a framework or guideline such as IEC 62443, all industrial cybersecurity frameworks call for two fundamental measures: network segmentation and device hardening. Tripwire solutions can help to implement the following protective controls:

• Network Segmentation – Tofino Security appliances enable robust network segmentation (the practice of organizing networks in smaller segments or zones and explicitly permitting only the network communication required for the industrial application), so that applications or devices can be separated.
• Device Hardening – Ensure all devices including HMI, SCADA, engineering workstations, switches and routers are configured to industry cybersecurity best practices and frameworks, examples include IEC 62443, NIST SP 800-82, or NERC-CIP.

Once a foundation of visibility and protective controls has been established, you can begin continuously monitoring your control network for ongoing situational awareness to detect abnormal or unexpected behavior. This awareness allows you to keep your network operational and avoid unnecessary or unplanned downtime. How much time do you spend firefighting or performing unplanned work? Tripwire solutions can enhance awareness via a continuous monitoring solution by doing the following:

• Understanding when controller modes or configurations have been changed that do not map to authorized work orders.
• Knowing if a rouge asset has been connected to the network and is propagating malware or making connections to external networks.
• Monitoring engineering workstations and SCADA servers to ensure correct configuration against internal build specifications or a selected cybersecurity framework.

For more information, check out one of my prior blogs:  ICS Cybersecurity: Visibility, Protective Controls, Continuous Monitoring – Wash, Rinse, Repeat. Also, be sure to check out Tripwire solutions at https://www.tripwire.com/solutions/industrial-control-systems/.