By exploiting these flaws, hackers can access anything from sensors responsible for gauging temperature, pressure, liquid, air, and gas levels, as well as analyzers used to determine chemical compositions.
Forescout’s Vedere Labs has released a new research report that delves into the topic of deep lateral movement. According to researchers, this is the first comprehensive investigation of how hackers can laterally move between devices at the Purdue Level 1, or L1 (also known as the controller level) of OT networks (Operational Technology).
This means “sophisticated hackers” can now breach vulnerable networks and devices at the controller level of critical infrastructure, managing to cause physical damage to crucial assets, such as movable bridges.
Their research indicated the presence of a lot of network crawlspace, such as links running between security zones at deep system levels. Asset owners are generally unaware of this space. Hence, there’s a need to close this gap in L1 devices as the segments these are present in require a “corresponding perimeter security profile,” noted Vedere Labs.
Proof-of-Concept
The PoC for this research was developed using two vulnerabilities that weren’t previously disclosed. These vulnerabilities (CVE-2022-45788 and CVE-2022-45789) allow authentication bypass and remote code execution on Schneider Electric Modicon PLCs (programmable logic controllers).
This was concerning because these are one of the world’s most famous PLCs and are widely used to construct critical infrastructures, including wastewater/water management, mining, energy, and manufacturing sectors.
Forescout discovered that around 1,000 PLCs had been exposed. Of these exposed PLCs, 33% were found in France, 17% in Spain, 15% in Italy, and 6% in the USA. Many of these devices were connected to solar parks, hydropower plants, and airports.
How Deeply Can Lateral Movement Affect System Security?
Through deep lateral movement, hackers can get deeper access to ICTs (industrial control systems) and cross all those security perimeters they previously couldn’t. So, they can carry out advanced granular and stealthy exploitations of the ICTs, while successfully overriding safety and functional restrictions.
Hackers can access anything from sensors responsible for gauging temperature, pressure, liquid, air, and gas levels, as well as analyzers used to determine chemical compositions.
They can even target actuators that are used to move machines. At the lowest level of deep lateral movement, adversaries can evade built-in safety functional limitations and cause service disruptions/damage or even threaten lives.
Forescout’s head of security research, Daniel Dos Santos, stated that “mitigating the risks of deep lateral movement requires a careful balance of network monitoring to detect adversaries as early as possible, gaining visibility into often overlooked security perimeters at the lower Purdue levels, and hardening the most interconnected and exposed devices accordingly.”
Forescout’s technical research is available here (PDF), while their blog post can be accessed here.