INFRA: HALT batch vulnerabilities are coming. How does the Ministry of Energy use firmware machine learning to enhance grid security?

Forecout Research Labs and JFrog Security Research jointly disclosed a set of 14 new vulnerabilities affecting the NicheStack TCP/IP stack (also known as the InterNiche stack). NicheStack is used for multiple devices in operational technology (OT) and critical infrastructure fields, such as the popular Siemens S7 series plc. Other major OT equipment suppliers, such as Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation and Schneider Electric are mentioned as customers of InterNiche, and InterNiche is the original developer of the stack. Because of this prevalence in OT, the most affected vertical industry is manufacturing. This batch of vulnerabilities is also the result of automated vulnerability mining such as machine learning. The Department of Energy (Department of Energy) is integrating machine learning (ML) with a threat information sharing tool it has developed to discover network security vulnerabilities embedded in the grid control system.

The Department of Energy’s Grid Modernization Laboratory Consortium (GMLC) consists of Idaho, Argonne, and Sandia National Laboratories and the National Renewable Energy Laboratory-all of these laboratories are commanded and controlled in firmware (FC2) Work together on the project.

In November 2014, the Ministry of Energy launched a cross-sector plan for power grid modernization. This includes the launch of the Power Grid Modernization Laboratory Alliance, involving the participation of national laboratories engaged in the Ministry of Energy’s power grid project, and establishing a new integrated approach for planning and providing innovation and thought leadership that support grid modernization. This crosscutting approach ensures that the Department of Energy’s R&D investment and capabilities are fully coordinated.

The technical team is composed of 65 leading scientists and engineers from the National Laboratory of the Department of Energy, consistent with six technical goals: sensing and measurement, equipment and integrated systems, system operation, current flow and control, design and planning tools, and safety Sex and flexibility, institutional support.

In industrial control systems and operating technology (OT), firmware is usually vulnerable permanent software. Idaho National Laboratory INL and the software company Forescout cooperate to ensure that FC2’s network data analysis can be detected by ML. The hole in the center.

INL’s infrastructure consultant Rita Foster said in a comment: “The embedded system is like a black box. It is almost unknown which sub-components the following code is composed of. This weakens the protection mechanism and may make the system vulnerable. “Emerging machine learning technology can identify ubiquitous libraries, which may contain known potential vulnerabilities.”

INL has further developed a structured threat intelligence graph (STIG), which is used to share actionable threat information between grid utilities and OT suppliers. OT suppliers are usually very stingy with this type of information and are unwilling to share it. STIG does not allow threat analysts to read thousands of lines of code, but instead visualizes the relationship between attack patterns, compromise indicators, and exploits, and proposes mitigation measures.

FC2 and the broader GMLC are helping utility companies like Southern California Edison and Detroit Energy—as large, expensive test beds—strengthen their grid architecture. At the same time, OT manufacturer partners, such as Siemens, Rockwell Automation, Eaton, General Electric, and Hitachi, can develop better network protection.

Foster said: “The demand for analytical tools for sharing security threat information and intelligence has risen significantly, and existing tools have proven to be inadequate.”

Many well-known OT manufacturers selected by the government—Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric—have business relationships with InterNiche. On Wednesday, local time, InterNiche’s code base was revealed to have 14 Newly discovered vulnerabilities.

Forescout Research Laboratories and JFrog Security Research Corporation announced a set of equipment called INFRA:HALT as part of the former project memorandum. These vulnerabilities allow remote code execution, denial of service, information disclosure, transmission control protocol spoofing, and domain name system cache poisoning, all of which can compromise critical infrastructure such as OT and the power grid. The impact of this wave of vulnerabilities is still very extensive.

Forescout’s report recommends that utilities limit network exposure of critical vulnerable devices through network segmentation, apply patches once vendors release patches, and block or disable support for unused protocols (such as HTTP).

These 14 vulnerabilities were discovered on a large scale through the use of advanced automated binary analysis.

The report stated: “We believe that the field of cyber security is at a turning point, and automated vulnerability discovery technology will soon become more common, which will make the discovery of very large-scale vulnerabilities (such as vulnerabilities affecting the TCP/IP stack) faster and more frequent “However, all these vulnerabilities must be disclosed, mapped to the affected device, and mitigated.”

The Links:   CM400DU-5F G190EG02-V0