Georgia Institute of Technology Warns Automation Community about Underestimated Risks of Externally Accessible Programmable Logic Controllers
In 2012, WAGO established a Product Security Incident Response Team (PSIRT) to manage potential vulnerabilities. We are certified according to IEC 62443-4-1 and support our customers in operating their WAGO products safely and in protecting existing processes in the context of industrial automation in the best possible way. Hackers’ searches for potential angles of attack are becoming more and more targeted and even include access via Internet. An additional risk comes from search engines like shodan.io and censys.io, which can find unsecured controllers with connections to the Internet, such as WAGO PFCs. That makes it all the more important for our customers to protect their controllers and configure them securely for their specific environments.
A study by the Georgia Institute of Technology has illustrated the relevance of this topic once again. The researchers found that significantly more programmable logic controllers (PLCs) are susceptible to remote attacks than was previously assumed. “Uncovering publicly accessible PLC devices is a crucial step toward securing critical infrastructure,” said Ryan Pickren, lead researcher for the study. “Attackers are actively using the public Internet to attack vulnerable PLCs, so operators need to know which devices are at risk,” explained Pickren. The study demonstrates the limitations of conventional ICS security research methods, which often rely on simple queries from services such as Shodan and Censys to identify at-risk PLCs. The “best-effort” queries used in previous studies tend to search only for simple static keywords that are disclosed by certain protocols. But this often fails to capture the dynamic nature of modern multi-protocol PLC devices, including those from WAGO.
Ryan Pickren
Lead researcher for the study, Georgia Institute of Technology
The researchers at Georgia Tech found that factors such as ICS firewalls, PLC firmware versions and customer configurations cause PLCs to divulge incomplete and transitory network data that simple queries are unable to detect. “Modern PLCs communicate through many different network protocols, each of which provides a unique fingerprint that changes over time depending on the firmware version and other customer-specific settings. Simplistic IoT search engine queries no longer capture the entire range of possibilities,” says Pickren. As a result of this complexity, previous security analyses on the Internet have inadvertently ignored a large proportion of the vulnerable devices. The researchers claim that the actual number of at-risk devices could be up to 37 times higher than previously documented. The researchers have already begun to contact the affected parties so that they can correct the network misconfigurations that led to this – presumably unintentional – possibility of Internet access.
“Such a high number of unreported cases illustrates the ever-increasing need for more secure operation of OT systems, especially when they are connected to the Internet. For this reason, WAGO is launching new consulting services, along with other measures like hardening guidelines, so that in future, we will be able to provide more sustained support for our customers with cybersecurity issues,” says Kilian Fröhlich (Business Development Manager at WAGO). “As a logical consequence of the steps already initiated for certification of our processes and products per IEC 62443-4-1 and 4-2 and for establishing our PSIRT team early on, WAGO is now taking the next step by setting up a Cybersecurity Consulting Team.” It will allow us to continue to provide the best possible support for our customers on cybersecurity issues, as well as offering new market services.”
Kilian Fröhlich
Business Development Manager, WAGO
All the details of the improved query technology and the impact on ICS security will be published in a forthcoming scholarly article. The Georgia Institute of Technology is calling on the automation community to rethink its security assessment methods and adopt more comprehensive approaches to accurately assess the vulnerability of critical infrastructure to potential cyber threats.
“We support this challenge from the Georgia Institute of Technology and are constantly working to improve our product security. Of course, secure equipment operation also includes continuous efforts to fix vulnerabilities that WAGO itself identifies or that are reported by other researchers, such as the Georgia Institute of Technology. The WAGO PSIRT team actively supports customers by publishing known vulnerabilities and fixes for them with our partner CERT@VDE,” says Dr.-Ing. Christopher Tebbe (Technology Management Security at WAGO). These advisories, which describe identified vulnerabilities and fixes for them, can be found here.
Dr.-Ing. Christopher Tebbe
Technology Management Security, WAGO
