Blended Threats: VPN Bugs Could Cause Physical Impacts with Critical Lifeline Sectors

30 July 2020

In a blog post on 28 Jul, security researchers at Claroty (@Claroty) shared that they have “discovered remote code execution vulnerabilities affecting virtual private network (VPN) implementations primarily used to provide remote access to operational technology (OT) networks. These dedicated remote access solutions are mainly focused on the industrial control system (ICS) industry… Exploiting these vulnerabilities can give an attacker direct access to the field devices and cause some physical damage.”

At Gate 15, we spend a lot of time discussing Blended Threats. A Blended Threat is a natural, accidental, or purposeful physical or cyber danger that has or indicates the potential to have crossover impacts and harm life, information, operations, the environment, and/or property.

Reading further in the post, the researchers add, “The vulnerable products are widely used in field-based industries such as oil & gas, water utilities, and electric utilities… Leveraging vulnerabilities in edge devices such as (these…) can provide these groups with direct access to ICS devices and key target areas, which when taken over could potentially yield the most benefit for these attackers’ business model. A good example of attackers using this exact tactic is the recent Honda attack.” In that attack, using SNAKE / EKANS Ransomware, “Honda temporarily shut some of its production facilities, as well as both the customer service and financial services operations” (read more on the Honda attack at Forbes and more about the ransomware at BleepingComputer and Dragos).

We encourage you to read Claroty’s complete post, which includes a deeper dive with additional details and the disclosure timeline – all very properly and professionally coordinated and shared.

An increasingly connected world – and one that is still largely relying on remote work and VPN use – is posing new threats to ICS and all connected devices. More broadly those threats are posing cascading effects from critical lifelines to all that depend on them. CISA (@CISAgov) offers some good resources for ransomware and ICS security, including this recent announcement, “CISA Releases Securing Industrial Control Systems: A Unified Initiative,” which “lays out CISA’s plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure.” Access the PDF directly here.

 

Understand the Threats. Assess the Risks. Take Action.

 

Understand the threats! Subscribe to our free daily paper and subscribe to our podcasts!

Take action! Our team is here to help you build the relationships and capabilities you need and to assist in the development of plans, training, and exercises to support your ability to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk to your organization in our complex, all-hazards environment.