Relay Race: Getting a Handle on Known Risks in the GE UR Family

Photo by Andrey Metelev on Unsplash
  • Similar vulnerabilities are ubiquitous. As we move to more modern IoT/IIoT devices, developers integrating components and bolt-on functionality on top of protocol implementations will continue to make software engineering blunders.
  • Bootloader vulnerabilities require local access and power control. Without the ability to cycle device power on and off, an attacker cannot execute the bootloader code.
  • Web functionality offers a large attack surface. Owing to the eccentricities of their daemons and programming languages, web-based functions are best left disabled or, at least, sheltered behind multiple firewalls.
  • Vulnerable-by-design protocols are not necessarily (vulnerable). If an attacker gets unfettered network access or lands in a privileged position, things can get dicey fast. But neither condition should occur if proper networking segmentation and access controls are in place. Direct remote access should be limited to secure methods such as IPsec VPN.
  • The security of protocol implementations, especially for cryptography, degrades over time. Direct access to systems that are slower to be patched, if at all, should be avoided. Still, SSH is far preferable to HTTP-based communications, particularly when you force strong ciphers and prevent downgrading.
  • Industrial protocols generally lack strong security features. In the case of the GE UR devices, the “unlock” function leaves passwords intact and accessible. Be mindful of the limitations of security functions and don’t rely on them.
  • Assume all devices are vulnerable. Multiple layers of security — from deployment to retirement — are necessary and require effective management and maintenance to retain their risk-reduction qualities.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Verve Industrial Protection

Verve Industrial Protection

Verve's mission is to protect the world's critical infrastructure. Learn more at verveindustrial.com