Avoiding Critical Vulnerabilities in OT Environments.
We have solutions that reduce the risk caused by critical operating system vulnerabilities.
Last Tuesday, Microsoft released several security updates to correct 117 vulnerabilities, 8 of which are (were) zero-day and are being actively exploited.
These vulnerabilities affect a multitude of Microsoft services: from CIFS, Bing, Microsoft Dynamics, Exchange server, Office, Scripting Engine, DNS, Windows Shell, Windows SMB or the TCP/IP stack itself.
The main vulnerabilities that have been patched are:
- CVE-2021-34448: critical vulnerability (CVSS 6.8) that allows remote code execution on any version of Windows, including servers.
- CVE-2021-34458: critical vulnerability (CVSS 9.9) that affects the Windows kernel and may allow remote code execution.
- CVE-2021-31979 and CVE-2021-33771: vulnerability with CVSS of 7.8 of the Windows kernel that may allow privilege escalation
- CVE-2021-33781: vulnerability with CVSS 8.1 that affects the security functions of Active Directory
- CVE-2021-34494: major flaw in the Windows DNS service
and many more…
Without forgetting CVE-2021-34527, or “PrintNightmare” a very serious failure that affects the print queue of most versions of Windows and that has meant that, in many cases, the only solution is to disable printing, with the obvious inconvenience of not being able to print.
Therefore, the obvious recommendation is to UPDATE and install the security patches.
But What about in OT Environments?
Let us remember that in industrial environments we find a multitude of devices that are surely exposed to these vulnerabilities, but the updating of their operating systems, like any other change, must be executed in a procedural and standardized way.
In these environments, we find that the time needed to test, validate and deploy the patches is so long that it usually overlaps with the next “batch” of patches to be evaluated.
The result is that the equipment is not patched, leaving it exposed.
Following a defense-in-depth strategy, if we cannot mitigate the vulnerability that puts our assets at risk, what is proposed is to introduce complementary measures that allow us to increase the level of protection. For these cases, we propose 3 complementary courses of action:
A) Monitoring system, intrusion and anomaly detection.
These systems constantly evaluate the traffic circulating on the network in a non-intrusive way to alert if any suspicious element is detected.
Normally, capture probes are installed at strategic points on the network to analyze the traffic of known attacks, as well as to profile the “normal” behavior of network devices and be able to differentiate anomalous behaviors.
Radiflow iSID is a good example of solutions of this type.
B) Fortification systems for the final equipment exposed to these vulnerabilities without the need to install the patches.
TrendMicro StellarEnforce is a good example, this solution allows you to create a whitelist of the code that is allowed to run on the computer. Any attempt to alter or execute unauthorized applications is detected and interrupted. In this way, we are able to protect equipment from 0-day vulnerabilities without depending on official patches, or recurring updates of attack patterns, or the need to connect with anything additional to keep the system updated.
C) Very critical equipment.
For those pieces of equipment so critical that nothing can be installed on them, you can opt for TXOne technology and insert an IPS device in its network connection. With this solution, critical assets are isolated from network attacks without having to resort to hyper-segmentation of the network.
We will not solve the present vulnerability, but we will prevent any malicious network traffic from exploiting it.
In short, even if we cannot apply security patches due to the idiosyncrasies of the environment, we have solutions that reduce the risk caused by operating system vulnerabilities.
