Thursday, July 19, 2018

ICS-CERT Publishes 4 Advisories


Today the DHS ICS-CERT published four control system security advisories for products from Moxa, Echelon, and AVEVA(2).

Moxa Advisory


This advisory describes a resource exhaustion vulnerability in the Moxa NPort serial network interface. The vulnerability was reported by Mikael Vingaard. The latest firmware mitigates the vulnerability. There is no indication that Vingaard has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability  to send TCP SYN packages, causing a resource exhaustion condition that would cause the device to become unavailable.

Echelon Advisory


This advisory describes four vulnerabilities in the Ecelon Smart Server and i.LON products. The vulnerabilities were reported by Daniel Crowley and IBM’s X-Force Red team. Echelon has a new version that mitigates three of the vulnerabilities and provides a workaround for the fourth. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Information exposure - CVE-2018-10627;
• Authentication bypass using an alternate path or channel - CVE-2018-8859;
• Unprotected credentials - CVE-2018-8851; and
Clear text transmission of critical information - CVE-2018-885

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution on the device.

In Touch Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InTouch HMI. This vulnerability was reported by George Lashenko of CyberX. Aveva has updates available that mitigate the vulnerabilities. There is no indication that Lashenko has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to remotely execute code with the same privileges as those of the InTouch View process which could lead to a compromise of the InTouch HMI.

InduSoft Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Aveva InduSoft Web Studio and InTouch Machine Edition HMIs. This vulnerability was reported by Tenable Research. Aveva has updates available that mitigate the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution.

ISCD Publishes CFATS Quarterly – July 2018


Today the DHS Infrastructure Security Compliance Division (ISCD) published the latest version of their Chemical Facility Anti-Terrorism Standards (CFATS) Quarterly. It was announced on the CFATS Knowledge Center with the link provided about half-way through the ‘CFATS Quarterlies and Webinars’ section at the bottom of the page.

This periodic document provides information on what has been going on in the CFATS program. Most of the news is about publications that have been made available to help facilities manage their CFATS process; nothing new here that I have not already covered.

In fact, the only really new piece of information is that David Wulf has finally returned to his job as Director of ISCD after having spent the last 18 months as Acting Deputy Assistant Secretary for Infrastructure Protection. This is the second time that Dave has filled this temporary position during the start of a new administration.

Classified ICS Security Information


There is an interesting discussion that has been taking place for a couple of days now over on LinkedIn. It was initiated by Isiah Jones from LEO Cyber Security. A lot of the response has been targeted at Isiah’s confrontational language, but the really important take away is that Isiah thinks/knows(?) that there is classified information available about threats to industrial control systems in critical infrastructure in the United States. Now Isiah is being necessarily vague about the information, but the discussion is important none the less.

Now I have not had access to classified information of any sort since I left the military a goodly number of years ago. My TS clearance is certainly not in force after this time and I have not had the necessary ‘need to know’ for access in any case. Having said that, I am absolutely certain that such classified information exists and that is unlikely to get into the hands of many of the people who could actively use that information to protect their facilities against serious nation-state level threats.

All is not lost, however. More about that later in the post.

The Need for Secrecy


Contrary to the beliefs of my friends in the black helicopter set, there are many legitimate reasons for the intelligence community (IC) to keep threat information classified. In most cases, the need to protect future access to critical information is more important than the need to share the current information; this is best exemplified by the Coventry-Ultra controversy from WWII. In other cases, the ‘knowledge’ is either so incomplete as to be useless (the Russians want to be able to attack the power grid) or the level of confidence in the information is so low that the intelligence community does not want to be accused of crying wolf.

Information Sharing Problems


Even when the IC is willing to share information, it is not easy to get the information to the correct people. First off, the information is going to be classified so the person receiving the information needs to be properly vetted to receive classified information. Anyone familiar with this process knows that it tedious and time consuming.

If IC waits until they know who will need a specific piece of information before the vetting process begins, the information will probably be worthless once the process is complete; the whole closing the barn door after the animals have gotten out thing. If you vet everyone that might need access to some specific piece of classified information at some unknown future time you end up clogging the vetting system even further with probably unnecessary vetting requests.

Even if the appropriate people have the necessary security clearances, getting them the appropriate information in a secure manner is also a problem. Even if secure messaging aps are used to protect the information in transit, the receiving device has to have minimum levels of security to prevent the information from getting into the wrong hands. Those security measures are expensive; too expensive to set up and maintain on the off chance of needing to receive classified information at some unknown point in the future.

This whole thing is further complicated by the fact that within the receiving organization, the information still needs to be protected during the internal sharing process. Everyone that needs access to the information to put proper protections in place needs to be vetted, their communications need to be protected, and many of their working files will be derivatively classified and need similar protections. This stuff gets very complicated; just ask anyone that has done operation planning in the military.

An alternative that many people have advocated (and I am certainly one) is for the IC to produce unclassified versions of their intelligence information to make the sharing process easier. I did this at the tactical intelligence level in one of my military jobs. It is time consuming to try to extract useable information from an intelligence report and then get that unclassified version vetted to ensure that means and methods are not inadvertently disclosed. Usually, the resulting product is useful for background purposes only, providing little or no information that provides for direct reaction by the recipient.

So, What to Do?


So, all is not lost. The IC can tell (and has told) us that adversaries are targeting control systems in critical infrastructure and has sophisticated techniques for doing so. The specific attack vectors are not necessarily important (as other attack vectors will certainly be used in future attacks). What is important to know is that nation-state level actors are involved and thus will ultimately get through defenses that they are really interested in attacking; THERE IS NO SUCH THING AS A SECURE SYSTEM.

First off, facilities need to determine what they really need to protect to survive and thrive. Information that would significantly hurt the company if it found its way into the hands of competitors or other adversaries needs to be encrypted at rest and in transit. Portions of control systems that are necessary for safety and quality control need to be isolated to the greatest extent possible. Where complete isolation is not possible for whatever reason, communications between the critical portions and other networks need to be closely monitored for anomalies. Where safety effects could be felt outside the facility, additional controls need to be implemented that are physically separated from the control network and analog safety measures should be established whenever possible.

Finally, a reaction plan needs to be firmly in place for all worst-case scenarios. The plan needs to assign specific responsibilities and identify any outside resources that need to be contacted, how that contact is to be made (with at least one alternative communications method identified), and who will make the contact. And, most importantly, those outside resources need to know in advance their roles in responding to an emergency event at the facility. That reaction plan needs to be trained and tested on a recurring basis.

Folks, none of this is new. We have been doing fire drills since we were little kids. We take precautions to prevent fires but recognize that fires can happen none-the-less. We install sprinkler systems and place fire extinguishers at key locations. At facilities where we have an unusually high threat for fires because of combustible materials we take additional precautions and put additional reactive measures in place. We need to extend that same mind set to control system security.

Bills Introduced – 07-18-18


Yesterday with both the House and Senate in session there were 41 bills introduced. Of those, one may be of specific interest to readers of this blog:

HR 6430 To amend the Homeland Security Act of 2002 to authorize the Secretary of Homeland Security to implement certain requirements for information relating to supply chain risk, and for other purposes. Rep. King, Peter T. [R-NY-2]

While this will probably be a federal IT specific bill, the supply chain risk requirements may end up being a standard that would be implementable by many organizations due to the purchasing power of the federal government.

Wednesday, July 18, 2018

OMB Approves PHMSA Classification ANPRM


Yesterday the OMB’s Office of Information and Regulatory Affairs (OIRA) announced  that it had approved the advanced notice of proposed rulemaking (ANPRM) from the DOT’s Pipeline and Hazardous Material Safety Administration (PHMSA) in regards to actions to be taken by pipeline owners when class location changes result from population increases.

While the intent of this potential rulemaking is the same as when I posted my blog entry on the submission of this rulemaking to OIRA, there has been a substantial change to the Unified Agenda entry on the topic in the Spring 2018 version of the agenda that was released since that earlier post. The Fall 2017 version contained a great deal more supporting information and explanation of what this rulemaking could entail. It is not clear if this is a change in how PHMSA views this potential rulemaking or if it is just an attempt to reduce the verbiage in the Unified Agenda.

Bills Introduced – 07-17-18


Yesterday with both the House and Senate in session there were 37 bills introduced. Of these, three may be of specific interest to readers of this blog:

HR 6399 To direct that certain assessments with respect to toxicity of chemicals be carried out by the program offices of the Environmental Protection Agency, and for other purposes. Rep. Biggs, Andy [R-AZ-5]

HR 6401 To assist the Department of Homeland Security in preventing emerging threats from unmanned aircraft and vehicles, and for other purposes. Rep. McCaul, Michael T. [R-TX-10]

HR 6407 To require the Administrator of General Services to transfer certain surplus computers and technology equipment to nonprofit computer refurbishers for repair and distribution, and for other purposes. Rep. Garrett, Thomas A., Jr. [R-VA-5]

My interest in the first two bills should be rather obvious, but the third is a bit of a stretch for coverage here. What I will be looking for in this bill is any language in the bill that would require agencies to strip all information from the memories from the covered devices before providing them to refurbishers. I do not really expect such language to be there, but I can always hope.

Tuesday, July 17, 2018

ICS-CERT Publishes 3 Advisories and 1 Update


Today the DHS ICS-CERT published three new control system security advisories for products from PEPPERL+FUCHS, WAGO and ABB. They also updated a previously published advisory for products from Rockwell.

PEPPERL+FUCHS Advisory


This advisory describes an improper authentication vulnerability in the PEPPERL+FUCHS VisuNet RM, VisuNet PC, Box Thin Client (BTC) families of products. The vulnerability was reported by Eyal Karni, Yaron Zinar, and Roman Blachman with Preempt Research Labs. PEPPERL+FUCHS has firmware updates for HMI running RM Shell 4 or RM Shell 5. For HMI running on Windows 7 or Windows 10 platforms the recommendation is to run the applicable Windows update for CVE-2018-0866. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.

NOTE: I initially reported on this vulnerability on July 7th, 2018.

WAGO Advisory


This advisory describes three vulnerabilities in the WAGO e!DISPLAY Web-Based-Management. These vulnerabilities were reported by T. Weber of SEC Consult. The latest firmware version mitigates the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2018-12981;
• Unrestricted upload of file with dangerous type - CVE-2018-12980; and
Incorrect permission for critical resource - CVE-2018-12979

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to execute code in the context of the user, execute code within the user’s browser, place malicious files within the filesystem, and replace existing files to allow privilege escalation.

NOTE: I initially reported on these vulnerabilities on July 14th, 2018.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Michael DePlante of Leahy Center and Michael Flanders of Trend Micro vis the Zero Day Initiative. ABB has provided work arounds pending further investigation of the vulnerabilities.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could conduct a social engineering attack to exploit this vulnerability to insert and run arbitrary code.

NOTE: I initially reported on these vulnerabilities on July 7th, 2018.

Rockwell Update


This update provides new information on an advisory that was originally published on June 21st 2018. The new information is an expansion of the affected versions for all affected products.

 
/* Use this with templates/template-twocol.html */