Today the DHS ICS-CERT published an updated version of their advisory on the Network Time Protocol vulnerabilities. This is a fairly extensive update with five separate areas of the advisory being revised. The revisions deal with:
● The scope of the covered systems;
● The scope of the vulnerabilities;
● Additional background information;
● Additional mitigation information; and
● A link to a new document on best practices for using time reference services.
ICS-CERT acknowledges in this new version that a number of vendor systems will be affected by this open source vulnerability. They note that they are working with vendors to determine which systems are specifically vulnerable. They will be publishing a supplement to this advisory that provides additional information on affected systems and unique mitigation measures.
In a rather unusual move ICS-CERT has added two new vulnerabilities to this advisory. They are:
● Authentication bypass by spoofing - CVE-2014-9297; and
● Improper check for unusual or exceptional conditions - CVE-2014-9298
This best practices document is interesting in a lot of ways. First off it has no organizational markings on it and it is prominently labeled “Unclassified”. This kind of leads me to believe that it may be a military document. There is a reference on page one to notifying the Coast Guard in case of a problem with a GPS signal.
About half of the document deals with GPS issues, about 1/3 deals with NPT issues and the remaining space is taken up with a discussion of Cessium clock issues and Time and Frequency Distribution System considerations.
We are seeing an increasing number of systemic vulnerabilities in industrial control systems that affect products from a number of vendors. These type issues make it easier for a serious attacker to develop tools that would be effective across a wide range of control system platforms. This would make things easier for people developing cyber-warfare weapons. A pretty sound argument could be made that a large portion of the ICS-CERT assets should be focused on these types of issues. Advisories of this sort (and the promised future updates and supplements) show that ICS-CERT is taking this type of issue seriously. Whether it is seriously enough, only time will tell.