An anonymous reader responded to my earlier post about ABB not patching a ‘legacy control system’ for a vulnerability recently reported by ICS-CERT. That reader noted that:
“The ABB Cyber Security portal (http://www.abb.com/cybersecurity contains a detailed advisory on the vulnerability including a link to a whitepaper covering steps to improve the security of the WebWare components.”
The reader is absolutely correct. There is an advisory which does provide a little more detail than the ICS-CERT advisory. The ABB site does also include a ‘white paper’ about mitigation measures to protect the vulnerable WebWare application. That publication provides significantly more detailed mitigation information than does the ICS-CERT advisory; that is only to be expected. I think that ICS-CERT did a disservice to the cybersecurity community by not providing a link to either one or both of these documents in its advisory (one would normally expect to find similar links in these ICS-CERT documents) rather than just the generic comment:
“Users of these products are directed to the available documentation on mitigating risk and securing their machines and production environments.”
One would like to think that this was a simple oversight on the part of ICS-CERT and not a passive-aggressive response to the announcement that ABB would not patch this particular system because of its age. An update of the advisory providing one or more of these links would be appropriate.
Still Not a Patch
Still, ABB is not going to patch the affected versions of these products. The mitigation methods that they propose will be moderately successful at preventing attacks on these systems it they are properly employed, but that places the security burden on the technical cybersecurity competency of the owners and operators of the systems. A patch, on the other hand would remove the vulnerability in a manner that would only require the level of system competency necessary to operate the application in the first place.
They note that it is a ‘legacy product’ and it is no longer supported. The unstated reasoning is almost certainly that they have only limited programing resources and those are better spent developing new products and supporting existing products that are in wider use. And that is certainly a justifiable corporate strategy.
Now I don’t know how old the vulnerable WebWare applications are; probably ancient in computer-years. Nor do I know how many of these systems are in current service (nor do I suspect that ABB really knows). I do believe, however, that it is safe to assume that there are robotic manufacturing systems out there in the real world that are running under these vulnerable applications. And those systems are potentially open to serious cyberattacks via the vulnerabilities reported by McCorkle and Rios.
Now this problem is not unique to ABB; they are just the company that is currently under the microscope. For decades the control system community, vendors and users alike, ignored security issues in the expectation that they were protected by the duality of isolation and obscurity. That is no longer the case, we know that these systems have exploitable vulnerabilities and more of the specific vulnerabilities are being identified every day.
Because of the cost and complexity of industrial control systems many of these legacy, completely unprotected, systems are going to be around for a while. The control system community is going to have to decide how to deal with the security of these legacy systems. Here are a couple of options:
• Ignore the problem until something blows up in our faces (the likely solution);
• Government requires vendors to provide security support to control systems in critical infrastructure in perpetuity (not very likely);
• Government requires critical infrastructure owners to upgrade control systems to security enabled versions (somewhat more likely but how do you define security enabled? Does WinCC count? Let Dale and Siemens argue that.);
• A new startup company of retired control systems engineers provides patching services for legacy systems (great idea but would current vendors give up old code? Probably not, too much code re-use.); or
• Congress provides tax incentives to upgrade unsupported legacy systems with new control systems (how many systems would be declared unsupported the day that law takes effect?).
I don’t have a good solution, but it is something that we as a community need to start talking about. If you’re a firm believer in government intervention, start talking with your pet congresscritter about getting this addressed in whatever cybersecurity legislation starts to move forward. If you’re an ICS owner, start talking with your vender to determine how much longer you’re active control system will continue to be supported and start thinking about upgrading with a secure by-design control system.