Today the DHS ICS-CERT published three advisories for vulnerabilities in industrial control systems applications from Siemens, Progea Movicon, and Innominate. Two of those (the first and last) are related to HeartBleed.
This advisory provides a list of Siemens products that contain or are affected by the HeartBleed vulnerability. They currently only provide one updated to mitigate the vulnerability but do note that they are working on the other product updates. The unusual move to self-identify vulnerable systems before mitigation measures are available was almost certainly undertaken because tools to test for the HeartBleed vulnerability and exploit code for the bug both exist in the wild.
Siemens reports that the following products are affected:
● eLAN-8.2 eLAN < 8.3.3 (affected when RIP is used - update available)
● WinCC OA only V3.12 (always affected)
● S7-1500 V1.5 (affected when HTTPS active)
● CP1543-1 V1.1 (affected when FTPS active)
● APE 2.0 (affected when SSL/TLS component is used in customer implementation)
Siemens has an update available for eLAN (v 8.3.3) and recommends the following interim mitigation measures for the other products until the appropriate update is published:
● WinCC OA V3.12:
o Use VPN for protecting SSL traffic
o Use WinCC OA in a trusted network
● S7-1500 V1.5:
o Disable the web server, or
o Limit web server access to trusted networks only
o Remove the certificate from the browser
● CP1543-1 V1.1:
o Disable FTPS, or
o Use FTPS in trusted network, or
o Use the VPN functionality to tunnel FTPS
● APE 2.0:
o Update OpenSSL to 1.0.1g before distributing a solution. Follow instructions from Ruggedcom  to patch APE 2.0
The VPN recommendations should have come with a caveat that the VPN should have its HeartBleed status investigated before it is used to protect a control system remote access.
This advisory is for an information disclosure vulnerability reported by Celil Ünüver of SignalSEC Ltd in a coordinated disclosure. Progea has developed an update that ICS-CERT reports has been checked and validated by Celil.
ICS-CERT reports that a moderately skilled attacker could remotely execute an attack using this vulnerability to gain access of OS version information.
This advisory notes that Bob Radvanovsky of Infracritical notified ICS-CERT that Innominate has updated their mGuard product firmware to deal with the HeartBleed vulnerability included in versions of those devices. The advisory points at the Innominate advisory published last Friday. Bob also reported this last Friday on the SCADASec List.
It will be interesting to see how many of these HeartBleed advisories get published by ICS-CERT. Most of these will end up being self-reported (even the Innominate advisory was essentially self-reported). I also doubt that there will be much more information in any of the upcoming advisories than we have seen in these two today.
It may be easier for ICS-CERT to just set up a HeartBleed page and updated it when necessary by listing the vendors that have published firmware or software updates that mitigate the vulnerability. I think it would be easier and more informative.