Mondoo

Secure Industry 4.0 with xSPM

Industry 4.0 has introduced a new level of integration between IT and operations technology (OT) in modern industrial automation systems. This integration has led to higher demands on IT security because any security risks in the OT world can impact the IT world and vice versa. This blog post proposes an open source solution called xSPM (extensible security posture management) that can help organizations manage the security and compliance of their complete infrastructure, including on-premises, cloud, and SaaS services. In this post, we will discuss the benefits of xSPM and how it can help secure Industry 4.0.

Patrick Münch
Patrick Münch
·6 min read·
Secure Industry 4.0 with xSPM

Programmable logic controllers (PLCs)

Programmable logic controllers (PLCs) are industrial computers used in Industry 4.0 to control manufacturing processes. They are reliable, precise, and scalable, making them a suitable control solution for modern industrial automation systems. The new generation of PLCs have replaced classical manufacturing automation technology which was often proprietary and limited in scope.

The need for security in Industry 4.0

In today's manufacturing automation technology world, all participants must dynamically exchange data with each other across systems and company boundaries. This has resulted in higher demands on IT security. Even a single disruption in the IT or OT world can lead to massive downtime and production losses. Therefore, it is essential to ensure that security is integrated into all aspects of an organization's infrastructure, from code creation to runtime.

What is xSPM

xSPM is an open-source solution that provides a set of best practices and tools to help organizations manage the security and compliance of their complete infrastructure.

Mondoo_whitepaper_xSPM-graphics4

It includes several key components, such as cloud-native application protection (CNAPP), cloud security posture management (CSPM), cloud workload protection platforms (CWPP), cloud infrastructure entitlement management (CIEM), Kubernetes security posture management (KSPM), SaaS security posture management (SSPM,) and edge computing security posture management (ECSPM). Each component plays a crucial role in ensuring the overall security and compliance of the infrastructure.

Benefits of xSPM

The traditional security tools and approaches are limited in their scope, either designed for on-premises data centers or cloud-native applications, but not both. With an xSPM solution, organizations have a comprehensive solution that provides a unified view of their infrastructure security, allowing for continuous monitoring and the identification of potential security threats and vulnerabilities.By implementing xSPM, organizations can:

  • Detect configuration drifts and minimize the risk of successful attacks and data breaches
  • Ensure the security and compliance of their complete infrastructure, from code creation to runtime
  • Have a comprehensive solution that provides a unified view of their infrastructure security, allowing for continuous monitoring and the identification of potential security threats and vulnerabilities.

Using cnspec to find old firmware and misconfigurations

As an example, let's take the PLCnext AXC F 2125 from Phoenix Contact, which is based on the ARM Cortex-A9 processor and has an IEC 61131 runtime system. Cnspec is an open source tool that offers different options for scanning the Linux-based PLCnext device to detect old firmware and misconfigurations.There are two ways to scan the PLCnext using cnspec: via SSH provider or cnspec running on the PLCnext itself. In this guide, we will provide step-by-step instructions for both methods.

Scanning PLCnext via SSH provider

  1. Install cnspec on your notebook.

  2. Test the connection and establish a cnspec shell to the PLCnext by running the following command:

Bash
cnspec shell ssh admin@192.168.1.10 --ask-pass
  1. Execute the following MQL command within the cnspec shell:
MQL
file("/etc/plcnext/arpversion").content

cnspec-shell

As we can see, we were able to connect via SSH to the PLCnext and were able to execute the first MQL command.

  1. Download the PLCnext policy from the public cnspec-policies repository to perform a basic security check by running the following command:
Bash
git clone https://github.com/mondoohq/cnspec-policies
  1. Perform the following command to run a complete security scan on the PLCnext via SSH:
Bash
cnspec scan ssh admin@192.168.1.10 -f cnspec-policies/community/mondoo-phoenix-plcnext-security.mql.yaml --ask-pass

cnspec scan

Scanning PLCnext via cnspec running on PLCnext

To scan the PLCnext via cnspec running on the PLCnext itself, follow these steps:

  1. Execute the following commands to install cnspec on the PLCnext:
Bash
# Change working directory
cd /media/rfs/rw/


# Create mondoo directory
mkdir mondoo


# Navigate to directory
cd mondoo


# Download cnspec tool
curl -L https://install.mondoo.com/package/cnspec/linux/armv7/tar.gz/latest/download -o cnspec.tar.gz


# Decompress
tar xzf cnspec.tar.gz


# Remove compressed file
rm cnspec.tar.gz


# Verify installation
./cnspec version
  1. Log into your free Mondoo account at console.mondoo.com, go to the Integrations tab and select Workstation. Open the manual setup tab and copy the last command (Login to Mondoo Platform) to register your cnspec client:
Bash
./cnspec login --token 'eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...'

integration-page

  1. Upload and activate the PLCnext policy ("mondoo-phoenix-plcnext-security.mql.yaml") to the Mondoo Dashboard. Go to the Policy Hub, select Add Policies and upload the policy.

policy-upload

  1. Select the Phoenix PLCnext Security Policy and click Enable to activate the policy for the Space.

policy-enable

  1. Deactivate all other Policies. Now the Policy Hub should only show the Phoenix PLCnext Security Policy.

policy-hub

  1. Run the cnspec scan using the Phoenix PLCnext Security Policy:
Bash
./cnspec scan

on-plc-scan

To run the cnspec scan regularly, simply create a cron job under "/etc/cron.hourly/mondoo" with the following content:

Bash
#!/bin/sh


/media/rfs/rw/mondoo/cnspec scan --config /opt/plcnext/.config/mondoo/mondoo.yml

Once the cnspec scan is completed, you can easily view the results by copying the link from the command line interface and visiting the Mondoo Dashboard. From there, you can see all of the identified vulnerabilities and receive recommendations on how to fix them.

results-1

Mondoo's security solution provides a comprehensive approach to identifying vulnerabilities and misconfigurations across both IT and OT systems. By regularly scanning your systems, you can proactively identify and fix potential security issues before they become a problem.

About the Author

Patrick Münch

Patrick Münch

Co-Founder & CISO

Chief Information Security Officer (CISO) at Mondoo, Patrick is highly skilled at protecting and hacking every system he gets his hands on. He built a successful penetration testing and incident response team at SVA GmbH, their goal to increase the security level of companies and limit the impact of ransomware attacks. Now, as part of the Mondoo team, Patrick can help protect far more organizations from cybersecurity threats.

Ready to Get Started?

See how Mondoo can help secure your infrastructure.

Get DemoMore Articles