Topics:
A Feb. 5 advisory from the Cybersecurity Infrastructure and Security Agency (CISA) urges organizations to take “defensive action” on end-of-support edge devices; those include firewalls, routers, load balancers, and VPN gateways. The threat comes from a surge in offensive activity from adversaries against these unsupported—and often insecure—devices. For federal civilian executive branch (FCEB) networks, the clock is ticking, and a series of deadlines loom under CISA’s Binding Operational Directive 26-02:
CISA mandates that any software and firmware on vendor-supported edge devices be immediately updated to current versions.
Within three months, all FCEB agencies must inventory edge devices on CISA’s EOS Edge Device List and provide said inventories to CISA
Within 12 months, those devices must be decommissioned and reported to CISA; any devices expected to be end-of-support in the following 12 months must also be inventoried and reported to CISA.
Within 18 months, decommission and replace affected EOS edge devices from agency networks and replace with supported devices that are on current security levels
Within 24 months, a process for discovery of edge devices must be in place and an inventory of edge devices must be maintained for any asset approaching end-of-support status
CISA’s urgency is well warranted, and organizations heavy in cyber-physical systems (CPS) assets would do well to adopt a similar defensive strategy for these assets as well. Threat actors have actively targeted edge devices, largely because these devices are internet-facing and are used to gain a network foothold to further exploit the environment, spy on activity, and potentially disrupt operations.
For enterprises defending CPS, this should sound like a familiar environment: a litany of legacy technology that is newly internet-facing, and introducing harrowing risk to industrial and healthcare environments.
CISA’s alert, meanwhile, was in response to the December cyberattacks against numerous energy facilities in Poland. Renewable energy plants, a combined heat and power plant, and a manufacturing company were compromised by attackers accessing edge devices using decidedly low-tech means; default credentials were used for initial access. This enabled them to eventually deploy wiper malware on the compromised networks that damaged remote terminal units (RTUs) and other operational technology (OT). The end result from the incident: asset operators were blind to what was happening on energy distribution systems as data was destroyed by the wiper malware on HMIs, and firmware was also corrupted, according to a CISA recap of the attack. Those systems continued to function, but operators could not manage this litany of devices and systems.
Without venturing too deeply into the geopolitical and cyberwar aspects of this malicious activity, the high-profile intrusion leveraging edge devices is more than enough call to deprecate these end-of-life assets or wrap compensating controls around them.
It’s clear adversaries are able to easily enumerate these internet-facing devices, and have the capability to carry out not only disruptive, but also destructive attacks against the OT network and cyber-physical systems. Vulnerable edge devices clearly can, and will, put CPS at risk.
CISA advises the following mitigations to reduce the risk from vulnerable edge devices:
Ensure you have an accurate inventory of edge devices. As the attacks against Poland’s energy sector demonstrate, access to these devices allows threat actors deeper penetration on connected industrial OT and IoT assets—damaging attacks are not out of the question. Defenders should be scanning networks for outdated assets, and understand the dependencies they have in order to have visibility into potential attack paths if a compromise occurs.
Replace edge devices. This can be costly and take time, but this must be weighed against the risk of not deprecating edge devices that are no longer supported by vendors. Edge devices that are EOL won’t receive security or feature updates, and any newly reported CVE becomes a forever-vulnerability, especially if the asset is not inventoried and operates exposed and unmanaged.
Patch at-risk devices first. For those edge devices still supported by vendors, it’s critical to understand which assets are most at-risk. CISA’s Known Exploited Vulnerability (KEV) catalog is an invaluable resource because it is a comprehensive list of CVEs actively exploited in the wild. This is especially critical for FCEB agencies that are required under BOD 22-01 to remediate KEVs, and often have a short window to do so.
The attack in Poland demonstrates the frail nature of security around legacy technology such as many edge devices, and the OT and medical systems that make up CPS. Attackers are relying on the overall insecurity of these internet-facing systems to readily access them.
Attacks are often kicked off, as in the case of the incidents in Poland, using default credentials that should have been changed. In many cases, attacks against CPS assets or edge devices don’t require exploits of vulnerabilities for an initial foothold.
Instead, basic hygiene could have shut down these exposures to avoid a high-profile incident and damaging consequences on critical infrastructure. Devices which cannot be upgraded with enhanced security features given their age are a ticking timebomb and the CISA mandated timelines for their replacement should be considered as a last resort - not something to be planned against.
U.S. Navy Adm. (Ret.) Michael Rogers served as the 17th Director of the National Security Agency and the 2nd Commander of U.S. Cyber Command. Adm. Rogers presided over the activation of the Pentagon's Cyber Mission Forces and the elevation of U.S. Cyber Command to unified combatant command status. He is currently the chairman of Claroty’s Board of Advisors.
