When I saw the ICS-CERT Tweet, I had suspected that this was going to be a notice that RLE had contacted ICS-CERT with mitigation information about the vulnerability in the Nova-Wind Turbine HMI. Device owners should be so lucky. Instead, this update to last Thursday’s alert is a change is semantics that could only be of interest to lawyers.
Two changes were made to the alert. The first was in the ‘Impact’ section (the change is highlighted):
New- “Plain text credentials can be used to gain unauthorized access to the device. This means that a malicious party could perform any action on the device including change or modify configurations and settings.”
Old – “Plain text credentials can be used to gain unauthenticated access to the device. This means that a malicious party could perform any action on the device including change or modify configurations and settings.”
The second was in the ‘Vulnerability Overview’ section:
New - The Nova-Wind Turbine HMI stores credentials in a plaintext file. If a malicious user recovers this file, then they could use the credentials to authenticate with the HMI and make changes to the configuration.
Old - The NovaWind Turbine HMI stores credentials in a plaintext file. This could allow a malicious user to access the device and make changes to the configuration without authentication.
In both instances the difference lies mainly in the difference between ‘unauthorized’ and ‘unauthenticated’. The use of ‘unauthenticated’ would tend to imply that the system did not require authentication. That is pretty clearly incorrect; the system re-quires the use of a password. It just does not provide any protection of the password.
Practically speaking, there is no difference. From a lawyer’s perspective it may mean a difference in liability. In the current system it could be argued that the owner is responsible for maintaining control of access to the network adequate to protect the password from being read by an unauthorized person.
I doubt that ICS-CERT came up with this change on their own; they are engineers not lawyers. I suspect that they were contacted by a legal team from RLE who ‘clarified’ the legal situation for them.
In any case, this change is not a change in any practical matter. If I am right (and I’m sure that no one in ICS-CERT can/will confirm or deny) then this is just one more reason for owners of this system to dump it. It appears that fixing legal liability is more important than fixing really bad security.