Today the folks at DHS ICS-CERT published another advisory on Invensys Wonderware (the last one was published just last Friday) and made available an updated version of their Cyber Security Evaluation Tool (CSET).
The Wonderware Advisory is based upon multiple vulnerabilities reported by Terry McCorkle and Billy Rios in a coordinated disclosure. The vulnerabilities involve:
• Cross-Site Scripting;
• SQL Injection; and
• Permissions, Privileges and Access Control.
All three vulnerabilities are remotely exploitable by an attacker with a low skill level even though there is no known exploit code publicly available for these vulnerabilities. A successful attack could result in denial of service or execution of arbitrary code. A social engineering attack ‘may’ be required to exploit these vulnerabilities.
Invensys has produced software updates that can be used to mitigate these vulnerabilities. Interestingly for this advisory there is an actual link to download the update where the previous advisory provided a link to an admin publication describing what to do to mitigate the vulnerabilities. I wonder why the different approaches.
I also wish that ICS-CERT would settle on one standard method of dealing with multiple advisories on the same applications. They have done it by updating an advisory with the additional vulnerabilities (makes a certain amount of sense). In this case they went with separate advisories. I can’t figure out why they would do this two different ways. Government agencies typically like consistency.
Cyber Security Evaluation Tool v, 4.1
I wrote about the publication of version 4.0 of this program last August. As best I can tell that information is relatively current. All of the supporting documentation (the Fact Sheet and the Download instructions) for the earlier version are identical to those currently on the CSET web site. You can also still send an email to CSET@dhs.gov to obtain the program on a DVD. Oh, and finally, you can still request ICS-CERT provide on-site assistance in applying the CSET evaluation to your control system.
The only difference that is noted on the ICS-CERT web site is that this latest version of CSET now includes the capability of preparing a network diagram using MS Visio®. The diagram can be drawn in Visio® and uploaded to the application, or drawn in the CSET application and downloaded as a Visio® file. Preparing a detailed network diagram in this manner makes it much easier for CSET to analyze the unique ICS layout for the installation. It also allows the program to formulate specific questions about your system architecture to help make the analysis more complete.
As I noted in the earlier blog post on this tool, the ICS-CERT folks have provided the capability for the tool to analyze the ICS security status for high-risk chemical facilities covered under CFATS. Since ISCD has almost no industrial control system security expertise (and I am almost certainly being generous here), showing that the facility has conducted a security assessment using this CSET should certainly go a long way to convincing the Chemical Security Inspectors that the facility has assessed and addressed their RBPS (Risk-Based Performance Standard) 8 (Cyber Security) requirements.
Until ISCD gets the necessary expertise in-house to do a real ICS cybersecurity assessment (unlikely any time soon) or signs a memorandum of understanding (MOU) with ICS-CERT to have them conduct that portion of the site security plan review, this will probably be the best way to address control system security requirements within CFATS.