When the DHS Industrial Control System Cyber Emergency Response Team (ICS- CERT) first published their advisory on the Progea Movicon TCPUploadServer Vulnerability back in March they stated that: “No exploits are known to target this vulnerability.” That has obviously changed as the revision to that advisory published today notes that: “Known exploits are now targeting this vulnerability. ICS-CERT strongly urges existing users to update vulnerable installations as soon as possible.”
Have There Been Attacks?
The ‘strongly urges’ wording would seem to imply that exploits have been detected in actual use against systems using the Progea Movcon human machine interface identified in this advisory. If this is the case, it would be nice if ICS-CERT would clearly state that and provide appropriate (and probably limited) details about such attacks (appropriately scrubbed to protect the victim’s identity, of course).
Readers might recall that this was just one of a number of HMI related ICS-CERT advisories and alerts issued this year. One of the problems with these systems is that they are typically bundled as part of an overall control system. While one might expect to find this vulnerable HMI in a Progea SCADA system, it is not clear that only Progea systems would contain this HMI.
Given the recent history of HMI vulnerabilities and now possibly actual attacks via those HMI vulnerabilities, it would be a very smart move for facility cyber security officers to know what HMI is used in their on-site SCADA systems. The vendor should certainly be able to provide that information (whether they are willing is potentially a completely different story).
Remember though; if your SCADA system uses (for example) the Progea Movicon HMI do not assume that you can apply the Progea patch to a non-Progea system. Contact your vendor or ICS-CERT for advice on how to proceed.