Researchers want more detail on industrial control system alerts | CyberScoop<\/title> <meta name=\"description\" content=\"A vulnerability in an industrial control system exploited by a state-backed hacking group illustrates problems in how vendors share data.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/industrial-control-system-alerts\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Researchers want more detail on industrial control system alerts\"> <meta property=\"og:description\" content=\"A vulnerability in an industrial control system exploited by a state-backed hacking group illustrates problems in how vendors share data.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/industrial-control-system-alerts\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2023-11-22T15:21:14+00:00\"> <meta property=\"article:modified_time\" content=\"2023-11-22T16:04:06+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1248\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"eliasgroll\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1699561119g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1698686983g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1698989400g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=7dab012cdc88b5676610\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/78154\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.4.1\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=78154\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Findustrial-control-system-alerts%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Findustrial-control-system-alerts%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-78154 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/industrial-control-system-alerts\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.709459459459\">\n<div class=\"single-article__header-content\" readability=\"29.686746987952\">\n<p> A vulnerability in an industrial control system exploited by a state-backed hacking group illustrate problems in how vendors share data. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"416\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts.jpg?resize=640%2C416&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=300,195 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=768,499 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=1024,666 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=1536,998 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=600,390 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=258,168 258w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=518,337 518w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=1038,675 1038w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2023\/11\/researchers-want-more-detail-on-industrial-control-system-alerts-1.jpg?resize=1297,843 1297w\" sizes=\"(max-width: 1038px) 100vw, 1038px\"><figcaption> Electric pylons are pictured near on February 2, 2007 near Kincardine, Scotland. (Photo by Jeff J Mitchell\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"62.091575374171\"><body readability=\"126.77867298578\"><\/p>\n<p>At the beginning of July, Rockwell Automation <a href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/11\/Remote-Code-Execution-and-Denial-of-Service-Vulnerabilities-in-Select-Communication-Modules.pdf\">released a security advisory<\/a> about a vulnerability in one of its products. Working with the U.S. government, the company said it had become aware that a state-backed hacking unit had developed the ability to run malicious code on the communication modules of an industrial controller. <\/p>\n<p>The company wouldn\u2019t identify who had this ability to attack its products and <a href=\"https:\/\/www.cisa.gov\/news-events\/ics-advisories\/icsa-23-193-01\">an accompanying advisory<\/a> from the Cybersecurity and Infrastructure Security Agency said there were no known instances of the vulnerability being exploited in the wild. <\/p>\n<p>It\u2019s rare that vulnerabilities affecting industrial control systems that are targeted by hackers working on behalf of nation states are discovered before they are exploited. By publicly revealing the vulnerability and urging customers to patch their system, Rockwell may have effectively burned the ability of a foreign intelligence agency to attack U.S. critical infrastructure systems. <\/p>\n<p>But computer security researchers caution that advisories of this nature often lack key information, causing delays in addressing them. While alerts affecting nation states targeting industrial control systems may require a measure of secrecy, computer security researchers argue they are too often stymied in obtaining information they need to fix vulnerabilities. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Advisories such as Rockwell\u2019s provide a rare window into how advanced hacking groups target industrial systems and prompted researchers at Forescout Technologies to look more closely at how Rockwell hoped to fix their systems. Aiming to write threat detection rules for their customers, the researchers found discrepancies in the detection rules and the patches released by the firm. <\/p>\n<p>\u201cWe took the patched version and the unpatched version of the firmware and we looked at the code for what was actually patched and what was not,\u201d said Daniel dos Santos, head of security research at ForeScout.<\/p>\n<p>The researchers found bits of code that were changed in the patch that were not mentioned in the detection rules issued by the vendor. An email service had portions of the code patched but that fix was not addressed in the detection rules released by Rockwell. Another proprietary service called \u201cSpy Object\u201d was found in the mitigation rules but the patch did not touch that portion of code. And even if patches were applied, Forescout researchers concluded that an attacker could still move through an infected network, a phenomenon the company calls \u201c<a href=\"https:\/\/www.forescout.com\/blog\/deep-lateral-movement-in-ot-networks-when-is-a-perimeter-not-a-perimeter\/\">deep lateral movement<\/a>.\u201d<\/p>\n<p>The Rockwell alert points to the possibility that the vulnerability might be exploited to manipulate firmware on targeted systems to achieve persistence, a suggestion that Forescout\u2019s researchers argue could indicate that the discoverer of the vulnerability also has reviewed a piece of malware that could be used to exploit the vulnerability. <\/p>\n<p>\u201cThis suggests that whoever uncovered this capability with the unnamed advanced persistent threat (APT) may have also uncovered an as-of-yet undisclosed post-exploitation payload focusing on firmware manipulation and persistence,\u201d Forescout\u2019s report notes.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cI do understand that when you are working with the government there is a level of \u2018secrecy\u2019 that is required,\u201d dos Santos said. \u201cThey say that they found something. Let\u2019s believe them; I\u2019m not saying they\u2019re not right. But it\u2019s like where are the details? How can we as a community share things that then can be analyzed by everybody?\u201d<\/p>\n<p>When U.S. cybersecurity officials last year revealed the existence of <a href=\"https:\/\/cyberscoop.com\/cisa-doe-fbi-nsa-pipedream-chernovite-ics\/\">the malware known as \u201cPipedream\u201d<\/a>, described as a highly capable tool for attacking industrial control systems, researchers were once again left with scant technical details about the program.<\/p>\n<p>More broadly, the lack of detailed information about vulnerabilities in industrial control systems is a common enough problem that it can be safe to assume that vendors are leaving information out in vulnerability disclosures, dos Santos argues.<\/p>\n<p>Rockwell did not respond to requests for comment.<\/p>\n<p>Asked about the lack of detail regarding the Rockwell vulnerability, a spokesperson for CISA pointed to its coordinated vulnerability disclosure process, which works with vendors to release information to the broader public about a particular vulnerability.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Rockwell\u2019s ControlLogix controllers are typically used in manufacturing environments and include control, safety logic and communication services that allow components to talk to other systems in the network. The controllers are separate modules that can be attached to a chassis depending on the facility\u2019s needs and unique configuration.<\/p>\n<p>\u201cThis is similar to a laptop, where the CPU, hard disk and networking cards connect via the motherboard and the user can replace each of these \u2018modules\u2019 for another compatible one,\u201d dos Santos explained in an email.<\/p>\n<p>The vulnerability in the communication module could allow hackers to connect to the other modules on the chassis or the network like a logic or safety controller, which could lead to disabling safety constraints.<\/p>\n<p>The Rockwell alert notes that the company is not aware of any exploitation of the vulnerability \u201cand the intended victimization remains unclear,\u201d however it\u2019s likely that it was developed to target critical infrastructure sectors.<\/p>\n<p>Ron Fabela, CTO at cybersecurity firm XONA Systems, said that for industrial control system vulnerabilities, \u201cit\u2019s no longer useful to just know what is affected, but asset owners and defenders need to know what to do about it.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cSimilarly, any time we read the latest threat research report on APT activity in ICS there often lacks a \u2018so what\u2019 or \u2018what now\u2019 analysis, leaving research companies with just awareness of the problem but little practical application outside of the event specifics,\u201d Fabela said.<\/p>\n<p>After releasing the July patch, Rockwell published an additional alert in September for the same communication modules. This time around, the patch changed code in the email service that was also patched in the previous release. However, Rockwell said that this new vulnerability did not have to do with the previous one that was discovered by state hackers.<\/p>\n<p>\u201cIt\u2019s just very confusing,\u201d dos Santos said.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\">\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/industrial-control-system-alerts\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Researchers want more detail on industrial control system alerts |<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[452,293,578,1212,256,288],"tags":[454,299,580,1213,262,294],"class_list":["post-2087","post","type-post","status-publish","format-standard","hentry","category-cybersecurity-and-infrastructure-security-agency-cisa","category-department-of-homeland-security-dhs","category-industrial-control-systems-ics","category-pipedream","category-research","category-threats","tag-cybersecurity-and-infrastructure-security-agency-cisa","tag-department-of-homeland-security-dhs","tag-industrial-control-systems-ics","tag-pipedream","tag-research","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity-and-infrastructure-security-agency-cisa\/\" rel=\"category tag\">Cybersecurity and Infrastructure Security Agency (CISA)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/department-of-homeland-security-dhs\/\" rel=\"category tag\">Department of Homeland Security (DHS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/industrial-control-systems-ics\/\" rel=\"category tag\">industrial control systems (ICS)<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/pipedream\/\" rel=\"category tag\">Pipedream<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2087","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2087"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2087\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2087"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2087"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2087"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":2087,"date":"2023-11-22T15:21:14","date_gmt":"2023-11-22T15:21:14","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=78154"},"modified":"2023-11-22T15:21:14","modified_gmt":"2023-11-22T15:21:14","slug":"researchers-want-more-detail-on-industrial-control-system-alerts","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2023\/11\/22\/researchers-want-more-detail-on-industrial-control-system-alerts\/","title":{"rendered":"Researchers want more detail on industrial control system alerts"},"content":{"rendered":"