H.D. Moore's Critical IO project recently uncovered thousands of serial port servers that are connected to the Internet and basically unprotected. How can organizations protect these serial ports, and what's the danger if they are left unprotected?
Ask the Expert
Have questions about network security for expert Brad Casey? Send them via email today! (All questions are anonymous)
The problem of securing legacy systems will never go away; the speed with which technology changes is simply too difficult for most organizations to keep up with. In regard to serial port servers, while many associate these devices with printers, scanners, and the like, I think the average reader would be astounded at how prevalent the technology is within contemporary enterprise environments.
The study conducted by H.D. Moore found that serial port technology is still being used to connect to fuel pumps, traffic lights and other critical infrastructure. With regard to how an organization can protect existing serial ports, I would offer much of the same advice that Moore offered.
Oftentimes, the access to these ports that Moore achieved was due to improper configuration. If you haven't already done so, conduct a network audit and compile a list of all the legacy systems that may have insecure serial ports and related devices. Contact the device or software vendors to ensure you not only have the latest software or firmware installed, but that you also have the devices configured according to their best practices. Assuming your vendors aren't much help, there are third-party consultants that exist for the sole purpose of securing legacy ports and devices, so consider contacting them and relying on their expertise, particularly if your audit turns up a variety of unusual and potentially risky devices.
In addition, I would ensure that the only way to access such ports is via an encrypted connection. This may require purchasing and installing a secondary hardware device, such as a VPN or multipurpose firewall, but it is imperative that this be accomplished -- especially if the serial port in question manages a critical piece of public infrastructure. (One can only imagine the havoc that can be wreaked on areas where the stoplight infrastructure has been hacked.)
This was first published in October 2013