What do Spectre and Meltdown mean for industry?
The news broke on the 3rd of January that Google Alphabet Project Zero researchers had found two severe flaws in Intel and ARM processors. These flaws were reported to the Processor manufacturers in June / July 2017. These vulnerabilities were named Spectre and Meltdown.
This vulnerability affects Intel and ARM. Meltdown allows an attacker to bypass the hardware barriers between memory and applications running on the computer, which can allow an attacker to access data, passwords and crypto-keys. This vulnerability can be patched which some have started to appear for operating systems Linux, Windows and MacOS. In the short term, this is a problem while manufacturers, process industry and machine builders gather data on what processors they are using in the field and then deploying a patch to the unit.
To protect in the short term would be to firewall incoming traffic to an affected item and only allow trusted IP addresses to the unit. As soon as the patch is available for your system, deploy the patch to all affected systems.
This vulnerability is harder to exploit but it is still a threat to a control system. This breaks the isolation between applications that otherwise would be deemed error-free programs. This induces a program to leak its secrets and data using other processes within the memory to access the application. Spectre will be harder to patch also, one of the authors of the paper said:
“We are currently not aware of effective countermeasures that will eliminate the root cause of Spectre, short of hardware redesign"
Meaning that an industrial system could have a vulnerability for its operational lifetime, as the underlying vulnerability is caused by CPU architecture design.
Items that could be affected by these chips
- IPCs (Intel)
- HMIs (Intel/ARM)
- Switches (ARM)
- iPads (ARM)
- iPhones (ARM)
- Android devices (ARM)
- Remote access units (ARM)
Phoenix Contact’s Mguard will stop an attacker accessing a device. Using the NXP processor it is not affected by the processor bugs. It includes a full state firewall allowing you to take control of your network, or protect systems that are vulnerable / un-patchable.