In 2020, Kaspersky ICS CERT discovered nine vulnerabilities in the ISaGRAF Runtime platform, which is used as an automation framework in multiple products in various industries across the globe. Besides the industrial control system (ICS), ISaGRAF’s application areas include transportation, power & energy, and other sectors, which means the security of the platform becomes of national interest. The vulnerabilities were fixed by the vendor, Rockwell Automation, in early 2022. The recent report issued by Kaspersky provides an overview of ISaGRAF framework and covers the most critical vulnerabilities identified along with possible attack vectors.
ISaGRAF is a programming technology and execution environment used by industrial entities worldwide. It is owned by Rockwell Automation and, today is customized and extended for different controller devices that belong to various vendors.
Since the ISaGRAF framework requires adaptation from the end product vendor, it can be difficult to protect users. To find out that a product is vulnerable, the user needs to wait for Rockwell Automation to fix the vulnerabilities and release an advisory and then wait for the product’s vendor to do the same. In some cases, the ISaGRAF supply chain is even longer with third-party vendors. Complicated patching procedures make the remediation process even more difficult as security patches can only be installed during a specific period of time (scheduled maintenance window).
Kaspersky ICS CERT analyzed the ISaGRAF framework functionality and discovered nine vulnerabilities that can be exploited by a remote or local attacker – whose ultimate goal is to escape the restricted environment of ISaGRAF and take full control of the device. The research showed that a remote attacker could penetrate the system via the ISaGRAF eXchange Layer (IXL) protocol used to transfer data within the framework. Rockwell Automation has issued a security advisory, published an update to fix some of the vulnerabilities, and has suggested mitigation measures for others.
“The ISaGRAF Runtime environment is considered to be the essential programming tool used within different industries throughout the world, including those of national importance. At Kaspersky, we have discovered several vulnerabilities that might greatly affect this system and its functionality. Although the vendors issued security patches to fix the discovered issues, our report underscores how serious these vulnerabilities in third-party components can be. Once again, we’d like to draw the attention of the product’s vendors to the advisory and the need to act on it,” comments Evgeny Goncharov, Head of Kaspersky ICS CERT.
Learn more about the ISaGRAF framework and the uncovered vulnerabilities on Kaspersky’s ICS CERT website.
To keep your ICS computers protected from various threats, Kaspersky experts recommend:
Regularly updating operating systems and any application software that are part of the enterprise’s industrial network. Apply security fixes and patches to ICS network equipment as soon as they are available.
Conducting regular security audits of OT systems to identify and eliminate possible vulnerabilities.
Using ICS network traffic monitoring, analysis and detection solutions for better protection from attacks that potentially threaten technological processes and main enterprise assets.
Providing dedicated ICS security training for IT security teams and OT engineers. This is crucial to improve response to new and advanced malicious techniques.
Providing the security team responsible for protecting industrial control systems with up-to-date threat intelligence. ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them.
Using security solutions for OT endpoints and networks such as Kaspersky Industrial CyberSecurity to ensure comprehensive protection for all industry critical systems.
Protect the IT infrastructure. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities.