Vulnerability assessments are important to thoroughly analyze advisories from vendors as many have incomplete details, incorrect exploitation conditions, or require deeper research. The presentation provides examples of vulnerabilities from GE Grid Solutions, Schneider Electric, Cisco, Rockwell Automation and Bosch where the initial CVSS scores and details were updated after further analysis. It also outlines Kaspersky's vulnerability assessment process of monitoring, research, and analysis to help improve ICS security.

1. Vulnerability
Assessment
in ICS
Artem Zinenko
Kaspersky Industrial Cybersecurity Conference 2021

2. 2
План
доклада
Зачем анализировать
advisory вендоров?
Примеры
Наш подход
Agenda

3. Зачем
анализировать
advisory
вендоров?

4. 4
78%
ICS уязвимостей с «вопросами»

5. 5
39%
с ошибками в условиях эксплуатации

6. 6
31%
ICS уязвимостей нужно глубокое исследование

7. GE Multilin UR.
“Factory” user

8. 8
GE Grid Solutions
(https://www.gegridsolutions.com/app/DownloadFile.aspx?prod=c60&type=21&file=90)
UR devices without CyberSentryTM
software option do not allow the
disabling of the “Factory Mode”,
which is used for servicing the IED
by a “Factory” user.
GES-2021-004

9. 9
GE Grid Solutions
(https://www.gegridsolutions.com/app/DownloadFile.aspx?prod=c60&type=21&file=90)
Vulnerability score: High
GES-2021-004

10. 10
CISA (https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02)
CVSSv3 Base Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ICSA-21-075-02

11. 11

12. 12

13. 13

14. 14
GE Grid Solutions
(https:/
/www.gegridsolutions.com/app/DownloadFile.aspx?prod=c60&type=21&file=90)
UR devices without CyberSentryTM
software option do not allow the
disabling of the “Factory Mode”,
which is used for servicing the IED
by a “Factory” user.
GES-2021-004

15. 15

16. 16

17. 17
Результаты
Attack Vector: Network -> Physical
Privileges Required: None -> High
Confidentiality: High -> None
CVSSv3 Base Score: 9.8 -> 5.5

18. 18

19. SE Modicon.
Denial of service
vulnerability

20. 20
SE (https://www.se.com/ww/en/download/document/SEVD-2019-134-11/)
A CWE-248 Uncaught Exception
vulnerability exists which could
cause a denial of service when
sending invalid debug parameters
to the controller over Modbus.
SEVD-2019-134-11 (CVE-2018-7854)

21. 21
SE (https://www.se.com/ww/en/download/document/SEVD-2019-134-11/)
CVSSv3 Base Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SEVD-2019-134-11

22. 22
SEVD-2019-134-11
SE (https://www.se.com/ww/en/download/document/SEVD-2019-134-11/)

23. 23
Cisco Talos (https:/
/talosintelligence.com/vulnerability_reports/TALOS-2019-0765)
This can be completed by first
obtaining a PLC reservation, and
then sending a data payload …
TALOS-2019-0765

24. 24
Протокол UMAS
Modbus Function Code (0x5A) Session Data
UMAS Function Code

25. 25
Резервация

26. 26
Резервация
TAKE_PLC_RESERVATION
(SECRET)

27. 27
Резервация
TAKE_PLC_RESERVATION
(SECRET)
SESSION

28. 28
Резервация
TAKE_PLC_RESERVATION
(SECRET)
SESSION
UMAS request
with session

29. 29
Резервация
TAKE_PLC_RESERVATION
(SECRET)
SESSION
UMAS request
with session
UMAS response

30. 30
ADMIN PRIVILEGES REQUIRED!!!

31. 31
Результаты
Privileges Required: None -> High
CVSSv3 Base Score: 7.5 -> 4.9

32. 32

33. Rockwell
Automation.
ISaGRAF
vulnerabilities

34. 34
Компоненты ISaGRAF
ISaGRAF
Virtual
Machine
PLC
ISaGRAF
Workbench
ISaGRAF
Application

35. 35
~1.5 года от репорта до
выпуска advisory
вендором
8 уязвимостей, 2 RCE
ISaGRAF vulnerabilities
Rockwell Automation
(https://rockwellautomation.custhelp.com/app/answers/answer_view/a_id/1131699)

36. 36
250
Семейств ПЛК с ISaGRAF Runtime

37. 37
Rockwell
Automation
(USA)
Fiord (RU)
Кто и где использует
ISaGRAF
Runtime
Leroy
Automation
(FR)
EKE
(FIN)
Talgo
(Spain)
SNCF
(FR)
London
Underground
Поезд Санкт
– Петербург
- Хельсинки
Румыния Китай
Россия
CAF
(Spain)
Европрибор
Вымпел
Owen
SE
GE
RA

38. 38
https://fiord.com/poisk-po-saytu/apparatnye-sredstva/programmno-apparatnye-
isagraf-platformy/isagraf
Программирование
контроллера
осуществляется с
помощью среды
разработки ISaGRAF 5
Workbench.
Уязвим ли ФИОРД-201?

39. Bosch IP cameras.
CSRF
vulnerability

40. 40
Bosch PSIRT (https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-
sa-033305-bt_cve-2021_23849_ip_cameras.pdf)
A vulnerability in the web-based
interface allows an
unauthenticated remote attacker
to trigger actions on an affected
system on behalf of another user.
BOSCH-SA-033305-BT

41. 41
Что такое CSRF?

42. 42
Что такое CSRF?
GET http://attacker.com

43. 43
Что такое CSRF?
GET http://attacker.com

44. 44
Что такое CSRF?
GET http:/
/attacker.com
GET http://camera/...

46. 46
Bosch PSIRT (https://media.boschsecurity.com/fs/media/pb/security_advisories/bosch-
sa-033305-bt_cve-2021_23849_ip_cameras.pdf)
CVSSv3.1 Base Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
BOSCH-SA-033305-BT
???

47. 47

48. 48
Результаты
Attack Complexity: High -> Low
CVSSv3 Base Score: 7.5 -> 8.8

49. Процесс анализа
уязвимостей
KL ICS CERT

50. 50
Мониторинг
Vulnerability assessment process

51. 51
Мониторинг
Исследование
Vulnerability assessment process

52. 52
Мониторинг
Исследование
Анализ
Vulnerability assessment process

53. 53
Чем мы можем помочь?

54. Thank you!
Artem.Zinenko@kaspersky.com