Today the DHS ICS-CERT published two control system security advisories for products from GE and Phoenix Contact. The GE advisory was previously published on the NCCIC Portal on December 1st, 2016.
This advisory describes an insufficiently protected credentials vulnerability in the GE Proficy Human-Machine Interface/Supervisory Control and Data Acquisition (HMI/SCADA) iFIX, Proficy HMI/SCADA CIMPLICITY, and Proficy Historian software. The vulnerability was reported by Ilya Karpov of Positive Technologies. GE has produced new versions that mitigate the vulnerability. There is no indication that Karpov has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a highly skilled attacker could exploit the vulnerability with local access and user interaction. This, however, was the vulnerability that ICS-CERT thought posed enough of a threat to critical infrastructure that it required advance notice to critical infrastructure facilities.
Phoenix Contact Advisory
This advisory describes a default password vulnerability in the Phoenix Contact mGuard product that was induced in the system by updating with version 8.4.1. Phoenix Contact self-reported this vulnerability.