Recently there was an attack exploiting two known vulnerabilities (CVE-2023-34362 and CVE-2023-35036) that affected numerous government agencies that utilized Progress’ MOVEit file-transfer software. Impacts are widespread, with Progress continuing to disclose even more vulnerabilities now that the headlights are shining on them.
Once again, we see attacks on sectors that highlight the need for a robust vulnerability-management program. The breach of various government entities is not surprising. In this case, perhaps, what’s surprising is how widespread the usage of this piece of software is across entities. Organizations tend to spend more money on fancy tools that generate these wonderful reports, when the most pressing need is for the people to own these programs and ensure the security of their networks.
This doesn’t just affect IT systems in government. Any industry, and in particular those utilizing industrial-control systems (such as manufacturing), can be caught off guard, for two reasons in particular.
First, programmable logic controllers can be difficult to patch. Rockwell Logix PLCs were affected by a vulnerability disclosed in 2021 that was hard-coded into the firmware; they decided to provide risk-mitigation steps instead of patching. The difficulty in patching these systems tends to lead engineers working with them to trust in other factors, such as firewalls, and the belief that their systems are separated from the rest of the corporate networks.
Second, due to numerous factors including a lack of skilled cybersecurity personnel and the increased desire for monitoring, many OT networks are not segmented properly. Many networks simply weren’t built properly, with no compartmentalization or segmentation. This means that any device—your computer, a VoIP telephone, a camera on the factory floor—could all potentially “talk,” enabling a threat actor to easily move around inside the network.
Neither of the above factors excuse the need for the foundational building blocks—the basics—of a robust security program, including asset tracking and vulnerability management. Asset tracking cannot just be a list of what networked devices an organization has. It needs to include the software installed with vendor POCs and a person monitoring those vendors for software updates. Running a vulnerability scan weekly means nothing if you aren’t also continually on the lookout for new updates, triaging the list, and judiciously (and quickly) applying the patches.
A good place to start is with the NIST Framework for Vulnerability Management. Understand, also, the impacts that scans can have on OT devices. Speak to your OT engineers, and determine not just what assets you have, but also which ones are critical to the manufacturing floor to keep you running. Security must work hand in hand with IT and OT teams to remediate known vulnerabilities, which still drive the vase majority of cyber-attacks.
