CodeMeter Vulns: Why Complete Software Inventory Data Is Critical for ICS
by Jeremy Morgan, Principal Solutions Engineer
You bought an industrial control system (ICS) to run your company’s most valuable asset. You diligently worked with a consultant and produced the most amazing list of requirements – nothing extra, nothing missing. You spent months talking and evaluating proposals from all the best integrators, value-added resellers and original equipment manufacturers. You selected and implemented the best in class solution. The project to implement it in your new state of the art factory won awards. Never has a project been run so smoothly and delivered so quickly, under budget and with so few punch-down items. Over the last year, it has run with levels of efficiencies that amaze even the bid winner.
Then one day it stops working. You are down. All your fail safes kicked in, but you don’t know why it stopped. After many millions of dollars in both direct and indirect costs the root cause: a licensing server.
But you didn’t buy a licensing server, you bought an industrial control system.
Turns out, when you buy an ICS you are buying a whole ecosystem of software you did not specify in your requirements. You can see just how complicated the security ecosystem for ICS is with our DefenderSphere. Licensing is often a part of that system. The really ironic thing in this case, is that it usually parades as a way to provide authentication and some security, because the industrial protocols themselves do not. It’s there to enhance your security.
This is why having a complete and timely view of software in your ICS is so critical. It’s in every major control framework. From the CIS Top 20, to NIST, NERC-CIP and all the rest. It is fundamental to making other controls work.
Threat researchers back in early 2019 found and discovered several high and critical vulnerabilities in the CodeMeter licensing software used in two major ICS systems. Siemens and Rockwell have both released their own response, but forewarned Rockwell does require an account.
There are some decent mitigating controls for these CodeMeter vulnerabilities, and most of these vulnerabilities require some sort of local network presence, except for CVE-2020-14519, which does not have a current entry on NVD at the time of this writing. This one only needs a specially crafted web page to exploit.
The good news is that the bulletins are pretty well documented, as would be expected with 18 months of lead time from notification by security researchers to announcement by product vendors.
Unfortunately, knowing in this case is not even half the battle. Now the real work begins for your company. You need software inventory, hardware inventory, firewall rules, and device settings to figure out your real risk exposure on this one.
Without a detailed listing of every make and model of devices with an up to date listing of firmware, as well as detailed software inventory identifying the actual impacted software versions, you have a very long and expensive road ahead. It’s not uncommon for efforts like these to cost several hundreds of thousands of dollars to paint a single point in time picture of your environment, and that may or not include any actual remediation. And this is just for a couple of targeted devices and pieces of software to resolve just a couple of vulnerabilities.
Industrial Defender has been helping customers solve this issue in the most complicated ICS systems in the world for the better part of a decade. With our flexible approach to data collection, we have the means and methods to give you exactly what you need for this analysis across your enterprise, often for less money than any one single vulnerability identification would cost you. Our users have real-time access to answer these questions in minutes. Those using our Vulnerability Management Service will have even less manual effort to tick and tie all these devices and software out.
In fact, our support website already contains policies created for these vulnerabilities to identify the impacted software and devices even faster. Our current customers can simply go in, run a new policy exception report in minutes, and get a clear picture of their environment to start planning mitigation. This puts them weeks or months ahead of their competitors, while reducing their risk of being impacted.
To learn more about how we can help your team reduce the time it takes to identify and mitigate vulnerabilities like the ones found in CodeMeter software, request a demo with one of our ICS experts.