We were surprised recently to get a report that one of our EtherNet/IP Adapter stacks had a security vulnerability. We learned some interesting things from this report. Here’s what we learned:
Who is Doing the Testing
This vulnerability was discovered by researchers from the operational technology (OT) security company Claroty. The Claroty Research Team is known for its development of proprietary OT threat signatures, OT protocol analysis, and discovery and disclosure of industrial control system (ICS) vulnerabilities. The team works closely with industrial automation vendors to evaluate the security of their products, which are used by Claroty customers, with its extensive ICS testing lab.
Upon detecting a vulnerability, they notify the affected vendor and work with them to remediate it. Once the patch or new fixed version is ready to be released, Claroty notifies the Cybersecurity & Infrastructure Security Agency (CISA)’s ICS Cyber Emergency Response Team (ICS-CERT) to issue an advisory that helps customers mitigate the issue as needed.
Here is the statement from the DHS website:
Critical infrastructure describes the physical and cyber systems and assets that are so vital to the United States that their incapacity or destruction would have a debilitating impact on our physical or economic security or public health or safety. The nation’s critical infrastructure provides the essential services that underpin American society.
On November 16, 2018, President Trump signed into law the Cybersecurity and Infrastructure Security Agency Act of 2018. This landmark legislation elevates the mission of the former National Protection and Programs Directorate (NPPD) within DHS and establishes the Cybersecurity and Infrastructure Security Agency (CISA). CISA coordinates security and resilience efforts using trusted partnerships across the private and public sectors and delivers technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.
What is Being Tested
Claroty researchers test a variety of industrial automation products used by their customers. In this case, the particular device was a customers device that utilized our code. The integration was in 2012. This seems problematic as there is a lot of legacy Modbus RTU, Modbus TCP, PROFINET IO, and EtherNet/IP devices that are used in critical infrastructure. It’s certain that these old devices are going to have security vulnerabilities.
What Vulnerability was Discovered?
The older code in the RTA device attempted to reduce RAM usage by limiting the size of a particular buffer used in an EtherNet/IP Forward Open request. By limiting the RAM, it made it possible for an attacker to attempt to overrun the buffer and use that to try to get control of the device. That line of code was changed a number of revision levels ago and is not an issue in current EtherNet/IP software revision levels.
When we were notified of this vulnerability, Claroty’s research tested our current revision level and verified that products built with the current revision level do not have this vulnerability.
What Should Users Do?
If you currently use RTA technology for your EtherNet/IP, contact our engineering team on 800-249-1612 to discuss your revision level and if your device is vulnerable.
Many users resist upgrading software revision levels of EtherNet/IP as per ODVA regulations; a change to a revision level means that the device must be retested and a new conformance test fee paid.
I suspect that there will be much more for all of us to do as we create secure EtherNet/IP and other devices. It will be a constant battle to fix software vulnerabilities and keep our devices secure.