Down and Exposed: Are your Maintenance Policies Leaving your Systems Vulnerable?

Machines need regular maintenance, not just to make sure the usual wear and tear hasn’t damaged the machine but also to do routine updates and checks. The more complicated the machinery, the more intensive the maintenance process is.

The maintenance process will usually require access to the machine and all the connected systems used to manage the operations—for example, a modern water pump is connected to pipes that deliver water, as well as a control system to monitor and adjust pressure and flow. During routine maintenance, both the hardware and software are vulnerable when normal operations and security protocols are paused or switched to another mode so that updates or fixes can be applied.

A 2016 incident in Taipei proves how the maintenance period can be a very effective avenue of attack. Reports say that a disgruntled employee took advantage of routine maintenance to install malware on the software managing YouBike, which is a biking service that operates throughout the country. The bikes became inoperable as a result, costing the enterprise US $662,910 in damages and lost revenue. The engineer was caught and charged by the Taichung District Prosecutors’ Office in Taiwan.

Maintenance issues and solutions

Besides the fact that, during maintenance, there are little to no security measures in place—even fundamental layers like application control or whitelisting—there are also other issues that could potentially be exploited.

  • Access to these systems during maintenance is given to third parties. Outsourced maintenance do not follow the same security protocols as the enterprise, and aren’t subject to the same review process either.
  • Maintenance of older machines is inefficient and unsecured. Some machines need a CD or even a 3.5-inch floppy disk to be updated. Someone has to bring copies of the software to each end-point to maintain it, which often results in infrequent updates and outdated methods.
  • Some machines are so old they cannot be updated, so they are maintained just to be operational. 70% of ATMs in India are still running Windows XP—they are working but vulnerable to many different attacks.
  • Some whitelist features aren’t maintenance-friendly. Some whitelisting is simply comprised of lock/unlock, meaning that when the maintenance unlocks the protection to install updates, the system is left vulnerable. With maintenance-friendly whitelisting, it only gives permission for what the maintenance needs.

Cyber threats affecting enterprises set a record high in 2016, which should encourage organizations to rethink their security measures across all aspects of their business, especially the maintenance of machinery that is integral to operations. Maintenance policies should be restructured, security solutions added, and machines in general should be updated so they can receive proper maintenance.

Below are some specific solutions that should be considered:

  • Organizations should use maintenance-friendly whitelist technology to protect their environment because most machines are “fixed function devices” (or devices that perform one set of functions and cannot be reprogrammed) that need to be strictly controlled.
  • Organizations should build the capability to ensure that their environment is consistently safe, and that there are security policies in place at all times.
  • Any parties that have access to the machine should be properly vetted and monitored.
  • Extended incident response procedures should also be in place. It's different from normal incident response, which is simply reactionary. Extended I.R. means addressing the cause and installing long-term solutions. Organizations need to make sure that the machine's environment is clean and stays clean.
  • All bases should be covered, so security solutions should be active even during maintenance. Even if the machine is not connected to the internet, there are solutions that can help. 

For some standalone PCs or closed systems, anti-malware software cannot be installed, malware scanning with the latest malware pattern file is difficult, and malware infections can still occur via USB flash drives or other devices brought inside. Trend Micro™ Portable Security 2™ is a malware scanning and cleanup tool designed as a USB flash drive for environments where an internet connection is not available or anti-malware software cannot be installed. And Trend Micro Safe Lock can be used for smart whitelisting protection that can keep the system still locked under maintenance, and just allow approved software to be updated.

Organizations can also use Trend Micro™ Deep Discovery Inspector™ to monitor machines connected to a network. Using specialized detection engines and custom sandbox analysis, Deep Discovery Inspector identifies advanced and unknown malware, ransomware, zero-day exploits, command and control (C&C) communications, and evasive attacker activities. TippingPoint’s Integrated Advanced Threat Prevention provides actionable security intelligence, shielding against vulnerabilities and exploits, and defending against known and zero-day attacks. Solutions, such as Advanced Threat Protection and Intrusion Prevention System, powered by XGen™ security, use a combination of technologies such as deep packet inspection, threat reputation, and advanced malware analysis to detect and block attacks and advanced threats.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Опубликовано в Vulnerabilities & Exploits, ICS/SCADA