Deep Lateral Movement in OT Networks: When Is a Perimeter Not a Perimeter?
Forescout’s Vedere Labs latest research report is the first systematic study into deep lateral movement: how advanced adversaries can move laterally among devices at the controller level – also known as Purdue level 1 or L1 – of OT networks.
Deep lateral movement lets attackers gain deep access to industrial control systems and cross often overlooked security perimeters, allowing them to perform highly granular and stealthy manipulations as well as override functional and safety limitations.
This research demonstrates that there is a lot of ”network crawl space”; that is, space that is not on asset owners’ radars, such as links that run between security zones at deep system levels that might not receive the attention they deserve. To close these gaps, an L1 device that sits between segments still needs a corresponding perimeter security profile.
In the proof-of-concept developed for this research, we use two new vulnerabilities that we are publicly disclosing for the first time: CVE-2022-45788 and CVE-2022-45789. They allow for remote code execution (RCE) and authentication bypass, respectively, on Schneider Electric Modicon programmable logic controllers (PLCs) – one of the most popular families of PLCs in the world, used in several critical infrastructure sectors. These issues were found as part of our OT:ICEFALL research in 2022 but were not disclosed then at the request of the vendor. More details about the issues are available on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06
There is little prior work on lateral movement for L1 devices, which has mostly focused on worms moving between identical L1 devices on the same segment or upstream hacking to L2 and above (e.g., from a PLC to an engineering workstation). Vedere Labs hopes that with this new research we increase the cybersecurity community’s understanding of deep lateral movement and how to mitigate attacks.
Here are the main findings of the research. For full details, read the technical report.
What is deep lateral movement?
OT L1 devices such as PLCs are notoriously insecure. RCE has been demonstrated against many of them using techniques such as insecure engineering interfaces (see OT:ICEFALL), malicious logic or firmware downloads and memory corruption vulnerabilities (see Project Memoria). Additionally, malware such as TRITON has shown that real-world threat actors are both capable of and interested in developing such capabilities.
Regardless, L1 devices that sit at the intersection of multiple, mixed networks (from Ethernet and fieldbuses to industrial wireless and trunked radio) are frequently treated as security perimeters. However, they lack the hardening and risk profiles that would accompany workstations or servers in a similar position. Worse yet, vendor and regulatory guidance may implicitly support this practice.
This issue has become more pertinent with the rise of the Industrial Internet of Things (IIoT), where gateways enable direct communications between L1 devices on the edge and cloud platforms, potentially exposing this soft underbelly beyond the traditional hardening at the intermediate Purdue levels.
Why bother with deep lateral movement?
Deep lateral movement can enable attackers to achieve outcomes otherwise impossible. Attackers might use this technique for two main reasons:
- Perimeter crossing. Attackers may need to move around hardened or across unacknowledged perimeters. A common example of zone-crossing at level 1 is the interaction between the basic process control system – which directly controls the industrial process being automated – and a safety instrumented system – which is responsible for safety, emergency procedures and bringing the industrial process to a safe state. Another underestimated perimeter in OT is the one regulated by fieldbus couplers. Couplers are very limited gateways that move specific sets of input/output values between two different fieldbuses and are often used as perimeters between asset owners and third-party managed systems.
- Granular control. Deep lateral movement may be used to establish more granular control over specific systems by interacting with nested devices in a way not possible through what is intentionally exposed. To bypass functional and safety limitations or reach deeply nested devices, attackers may have to move through multiple L1 devices first.
Newly disclosed vulnerabilities in Schneider Electric Modicon PLCs
As mentioned, the Schneider Electric Modicon family of PLCs is one of the most popular in the world. In fact, Modicons were the first PLCs on the market when introduced in 1968. The popularity of these devices has led to their targeting by threat actors. As a part of the recent wave of hacktivist attacks targeting OT, the GhostSec group targeted an exposed M340 belonging to the Nicaraguan ISP UFINET by writing the value 0 to all its Modbus registers.
The newly uncovered issues, summarized below, only affect the Modicon PLC Unity line. CVE-2022-45788 is an example of RCE via an undocumented memory write operation, while CVE-2022-45788 exemplifies a broken authentication scheme. As we explain in the technical report and demonstrate in the proof-of-concept for L1 lateral movement, when combined, these vulnerabilities can lead to RCE on Modicon Unity PLCs.
|CVE ID||Affected Products & Versions||Description||CVSS||Potential Impact|
|CVE-2022-45788||EcoStruxure Control Expert –
EcoStruxure Process Expert –
Version V2020 and prior
Modicon Unity PLCs
(BMXP34*, BMEP*, BMEH*, BMEP58*S, BMEH58*S, 171CBU*, BMKC80, 140CPU65*, TSXP57*) – All versions
|A vulnerability exists that could cause arbitrary code execution, denial of service and loss of confidentiality & integrity when undocumented Modbus UMAS CSA commands (service code 0x50) are executed.
|CVE-2022-45789||EcoStruxure Control Expert –
EcoStruxure Process Expert –
Version V2020 and prior
Modicon Unity PLCs
(BMXP34*, BMEP*, BMEH*, BMEP58*S, BMEH58*S) – All versions
|A vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session.
Note that while Schneider Electric describes CVE-2022-45788 as relating to downloading malicious project files, this vulnerability actually operates on a completely different – undocumented – set of functionality that allows for modifyinginternal PLC memory without affecting the PLC run state or requiring a project download.
As noted, Modicon PLCs are extremely popular and widely used around the world. Estimating the number of affected devices based on public data is difficult because these devices are not supposed to be accessible via the internet. However, we are still able to see close to a thousand PLCs exposed online via Shodan, predominantly in the powerindustry (44%), followed by manufacturing (19%) and agriculture (15%). We found multiple instances of public subnets, likely used by system integrators or contractors, exposing Modicon PLCs for different power generation projects.
For full details on the estimated number of affected devices by country and industry – including close to 30 devices mapped to critical infrastructure operators – read the technical report.
For mitigation of CVE-2022-45788 and CVE-2022-45789, follow the steps on Schneider Electric’s advisories SEVD-2023-010-05 and SEVD-2023-010-06.
Proof-of-concept: cyber-physical attack on movable bridge
To demonstrate the feasibility of deep lateral movement, we developed a proof-of-concept exploit chain against a nested device setup consisting of several popular PLCs: Schneider Electric Modicon M350, Allen-Bradley GuardLogix and WAGO 750 series. The setup was designed to disallow direct or routed access to crucial controllers and safety systems, demonstrating the techniques that advanced adversaries might employ to circumvent such restrictions.
The scenario we built represents an attacker attempting to gain control over movable bridge infrastructure, with the intent of carrying out a cyber-physical attack to close the bridge at full speed, with safety systems disabled to either hit the bearings with the lock-bar driven or trigger an emergency stop at full velocity causing large inertial forces to damage the bridge.
This scenario is typically very difficult or even impossible to carry out with simple control over a central SCADA interface.
To walk through the full proof-of-concept, read the technical report. Or, watch the video:
Conclusions and mitigation recommendations
The all-too-common habit of treating certain links – such as serial, point-to-point, radio frequency and couplers – as if they’re immune to many of the same issues that we see on regular Ethernet LAN networks is something that needs to be critically reevaluated.
The impact of a compromised device is not limited to the explicit capabilities of a link or its first-order connectivity. Just because it only exposes a few Modbus registers or is hooked up to an uninteresting device does not mean that an attacker cannot turn that link into something else and use that uninteresting device as a staging point for moving towards more interesting targets.
With the access attackers achieve through deep lateral movement, things might become possible which magnify the impact of an attack.
Mitigating the risks of deep lateral movement requires a careful blend of network monitoring to detect adversaries as early as possible, visibility into often overlooked security perimeters at the lower Purdue levels and hardening the most interconnected and exposed devices.
We recommend the following mitigation strategies for hardening L1 devices and networks:
- Disable unused services on devices. For instance, if UMAS over Ethernet is not required on a PLC, disable it. Even if the PLC is nested, since we showed in this report how attackers can leverage vulnerabilities on nested devices.
- Use deep packet inspection (DPI) firewalls and IP-based access control lists to restrict sensitive flows between engineering workstations and PLCs. In cases where only subsets of protocols are required, use DPI to restrict this further.
- From a forensics perspective, ingest level 1 event logs that contain indicators of malicious activity of this kind.
- Enforce segmentation through OT-DPI firewalls and/or conformance-checking gateways, including for point-to-point links.
- Depending on the risk , certain point-to-point links that cross highly sensitive segments might warrant dedicated drop-in DPI firewalls for Ethernet. For serial links with similar profiles, you might want to consider inline taps that collect data out-of-band.
Forescout helps you gain visibility into even deeply nested OT networks, and our DPI technology detects advanced threat actor TTPs in these networks.