With the folks at Digital Bond releasing more of their Basecamp SCADA tools today, the DHS ICS-CERT was forced to update their alerts for three of the systems that were addressed in the Basecamp exercise. Those alerts directly affect the Koyo ECOM100 Ethernet Module, the Schneider Electric Modicon Quantum PLC, and the Rockwell Automation ControlLogix PLC.
When I first read the updates (a paragraph added to each existing alert) I was impressed by the fact that ICS-CERT acknowledged that the Rockwell vulnerabilities also applied to other PLC’s besides those manufactured by Rockwell. That Alert states:
“As this exploit does not specifically target a system and is aimed at a protocol employed by many PLC vendors, this release could impact many additional vendors.”
Unfortunately when I went back and read the announcement on Digital Bond I was more impressed about the whopping understatement that was provided by that ICS-CERT remark. Reid Wightman explains the extent of the term ‘many PLC vendors’ this way:
“About 300 vendors belong to the organization responsible for the EtherNet/IP CIP specification, so the list of affected devices is going to be…large. This vulnerability should include some systems by Schneider Electric, WAGO, Omron, Opto 22, Phoenix Contact, and ABB, just as examples.”
NOTE: The ‘300 vendors’ link takes you to the directory of ODVA members. I’m not sure how many of these vendors actually produce PLC’s. The links on that page do not take you to vendor web sites, just a pop-up of the street address of the vendor.
Of course, complicating this further is that many manufacturing systems come as complete packages with PLC’s pre-installed. In many cases the owner has no idea which vendor supplied the PLC in the system.
We all knew that that Project Basecamp was blowing the lid off of industry’s ability to ignore the PLC security issue. Even so the scope of the problem is becoming even more mind blowing as more information comes out of the project.
Another interesting question comes to mind. How is ICS-CERT going to deal with the multiple vendor issue for the Rockwell alert? Are they just going to coordinate with Rockwell to resolve the vulnerability? Rockwell is undoubtedly big, but are they big enough to pull the entire ODVA membership into accepting a change to the communications protocol to secure access to the PLCs? Or is ICS-CERT going to cajole the ODVA directly or is it going to try to deal with each of the vendors involved?
What is certain is that it is going to be quite a while before we have a resolution to these three alerts.