Tuesday, August 16, 2011

ICS-CERT Updates Honeywell ScanServer Advisory

Yesterday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an update on an advisory that was originally published last April. The revised advisory updates the researcher attribution, vulnerability details, and new mitigation information.

The update identifies Secunia as the ‘security researcher’ that originally identified this vulnerability and provides links to two different Secunia pages about the vulnerability. While this information is important to Secunia (and probably the rest of the security research community) the more important bit of information included in this updated is the Microsoft mitigation measure identified (the availability of an Active X killbit for the control exploited in this vulnerability).

Social Engineering Exploit

Still, the most important thing about this vulnerability, and most vulnerabilities involving ActiveX controls, is that not only does it involve a control system software issue, but it requires the active involvement of someone at the facility. No, not an insider attack, but someone accessing a malicious web site. These web sites are not going to be randomly surfed by the facility employee/contractor; they are going to be drawn to the web site by a social engineering attack.

While the mitigation measures provided by Honeywell and Microsoft for this particular attack will allow facilities to avoid this particular problem, a more important mitigation measure would be to train (and re-train frequently) all employees with control system access on how to identify and avoid social engineering attacks. That would help to prevent exploitation of this vulnerability and a whole host of yet to be identified zero-day vulnerabilities in this and other control systems.

No comments:

/* Use this with templates/template-twocol.html */