Yesterday DHS ICS-CERT published two advisories for control systems vulnerabilities and the “Roadmap to Secure Control Systems in the Transport Sector”. The advisories deal with another self-reported Siemens problem and a new ‘we-don’t-see-it’ vulnerability; this time in the ORing Industrial DIN-Rail Device Server 5042/5042+ systems
Last year the DHS CSSP and the DOT John A Volpe National Transportation Systems Center joined together to sponsor the Transportation Roadmap Working Group to develop a roadmap for cybersecurity of control systems in the Transportation Sector. The group consisted of representative from a variety of transportation related government agencies and private sector organizations.
This is a 56 page document and will take some digesting before I can provide any real analysis of its usefulness, but I will quote here from the forward to provide the Working Group’s perspective on what this document is supposed to be.
“The Roadmap to Secure Control Systems in the Transportation Sector (Transportation Roadmap) describes a plan for voluntarily improving industrial control systems (ICSs) cybersecurity across all transportation modes: aviation, highway, maritime, pipeline, and surface transportation. This Transportation Roadmap provides an opportunity for transportation industry experts to offer input concerning the state of control systems cybersecurity and to communicate recommended strategies for improvement. This Transportation Roadmap brings together transportation stakeholders from all modes, including government agencies and asset owners and operators, by offering a common set of cybersecurity goals and objectives, with associated metrics and milestones for measuring performance and improvement over a ten-year period.”
Interestingly only six of the eighteen member of the working group come from the private sector; two reps from one shipping line, one industry group (public transportation), an aircraft manufacturer (well ‘formerly’ from Boeing) and representatives from the two transportation related Information Sharing and Analysis Centers (ISACS). The three non-federal government agencies all come from California and two of those from Los Angeles. At first glance this hardly seems to represent ‘all transportation modes’.
The Siemens advisory concerns the latest in a number of self-reported control system vulnerabilities. This one deals with an insecure HTTPS certificate storage vulnerability in Siemens’ S7-1200 PLC. A moderately skilled attacker can obtain the private key for the HTTPS certificate authority for the PLC and use it to create a forged certificate to conduct a man-in-the-middle attack on the browser communicating with the PLC.
Since the PLC also has a properly protected private key used to dynamically generate its own certificate the recommended mitigation is to (pg 2) “uninstall the CA signing keys from the Web browser’s certificate store” FOR EACH PLC (sorry for yelling, but are you kidding me? How many PLCs does your system use?). Oh yes, then you have to (pg3) “manually confirm the identity of the PLC and accept its certificate via the browser” FOR EACH PLC.
Okay, kudos again to Siemens for self-reporting this, but this was really poor design. Damned if this isn’t going to be a major headache for systems engineers.
NOTE: The Siemens-CERT notes that this vulnerability was discovered by ‘a researcher’. Naming that researcher might have encouraged other researchers to contact Siemens with future vulnerabilities rather than publicly disclosing them.
Slam Another Uncooperative Vendor
ICS-CERT takes on another uncooperative vendor, this time ORing Industrial Networking is labeled as an ‘unresponsive’ vendor over a reported vulnerability in their DIN-Rail Device Server. Reid Wightman reported (NOTE: ICS-CERT did publish this link in the advisory - kudos) the hard-coded credential vulnerability.
I am kind of confused though. Reid’s post on DigitalBond.com is dated June 13th (and addresses two different devices from two different manufacturers). Typically this should have resulted in an alert (or two) about the publicly identified vulnerability and this advisory should be the follow-up to that document. There was no alert published that I can see.
A relatively unskilled attacker could remotely use the publicly available exploit to gain administrative access to the device. In the absolute best understatement of the year ICS-CERT explains that this “could result in a loss of availability, integrity and confidentiality” (pg 1).
Other vendors please note one last caveat emptor quote from the advisory (pg 3):
“ICS-CERT is not aware of ORing Industrial Networking developing a patch, update, or fix for the affected products. The ORing software update Web site does not indicate that a new version of firmware or security patch is available.”