Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published yet another advisory about a vulnerability in a SCADA Human Machine Interface system, this time from a vendor in China, Sunway. The heap-based buffer overflow vulnerability affects two Sunway systems, the ForceControl and pNetPower applications.
There are no published exploits for the vulnerabilities and ICS-CERT estimates that it would take an attacker with an intermediate skill level to exploit them. Sunway has published separate patches for each system.
The interesting thing about this particular set of vulnerabilities is that the security researcher who reported them is Dillon Beresford of recent Siemens vulnerability fame. Obviously Dillon is no one-hit-wonder.
ICS-Monthly Monitor Published
ICS-CERT also published the second issue of their Monthly Monitor today. There is a very interesting description of the vulnerability disclosure procedures used by ICS-CERT; an appropriate topic given recent complaints about their apparent inaction on Dillon’s Siemens disclosure.
The interesting bit of disclosure here that was new to me was that, in the coordinated disclosure process, ICS-CERT publishes a limited edition advisory to be released the day that the vendor publishes the patch/mitigation-strategy. This is published, according to the Monitor, on a ‘secure portal library’, “which is available only to a limited vetted membership— primarily CIKR asset owners, federal, state, local, and tribal agencies”. No word on how one gains membership in this elite group.
As a blogger/reporter on chemical security issues I would not expect to be invited/allowed to join such a group. Even if I could, I don’t think that I would accept because of the undoubted limitations on disclosure that would accompany such membership.
I would suspect that any cyber security manager at a high-risk chemical facility, or any facility on the Critical Infrastructure Key Resources (CIKR) list should be interested in joining this group. I’m not sure how you would go about requesting membership, but I suspect that an email to ICS-CERT@dhs.gov would be a good place to start asking the questions.