Yesterday morning the DHS ICS-CERT published an updated version of the ABB Panel Builder Advisory that was published last week. A number of minor revisions were made to the advisory.
First the advisory reiterates that version 6.0 of the program was not affected by the reported vulnerability. Not sure why this was needed since only version 5.1 was mentioned as being affected and a recommendation that users upgrade to version 6.0 had been included in the original.
Second there is a clarification that the vulnerability is in the program used to construct Panel 800 HMI’s not in the HMI’s themselves as was implied in the original version. Interestingly this change was followed by a revised deployment description based upon that also corrects the above confusion between the Builder and the HMI. The interesting thing is that this change is made outside of the designated change boundary for change 2 of 4; a minor nit-picking point to be sure.
The third change is the addition of two vanilla security mitigations that are generally applicable to any operation and are not specific to this vulnerability. ICS-CERT advisories routinely include such mitigation measures, but these two were specifically recommended by ABB.
The last change is the addition of a link to the ABB Cyber Security Advisory for this vulnerability. I had provided this same link in my earlier blog post.
NOTE: I missed this when I did my post last night about the new Siemens advisory. The wife and I are moving this week and I only have limited internet access, so I was moving too fast to notice the subtle change in the listing for this advisory. I didn’t notice it until I checked my Twitter® feed and by then I didn’t have enough time to go back and revise the earlier post.