GE Proficy Advisory from ICS-CERT

Yesterday afternoon the DHS ICS-CERT published an advisory for multiple vulnerabilities in the GE Intelligent Platforms Proficy Real-Time Information Portal. The vulnerabilities were reported by Kuang-Chun Hung of Information and Communication Security Technology Center (ICST) in a coordinated disclosure and had previously been published on the US-CERT secure Portal library.

The Vulnerabilities

Three separate improper input validation vulnerabilities could allow a skilled attacker to remotely execute a denial of service (DoS) attack. GE has provided patches for three of the affected versions (3.0 SP1 SIM 44, 3.5 SIM 17, and 3.5 SP1 SIM 1). Owners of earlier versions are encouraged by GE to upgrade to newer, patched versions of the system.

Upgrading Industrial Control Systems

We are seeing an increasing number of notices about having to upgrade older versions of ICS products to get security fixes put into place. In many ways this is to be expected. A vendor has to make a business decision as to where they are going to expend valuable programming assets, fixing old products or producing new products. In IT systems, this is not nearly the problem that it is in ICS products since we have come to expect having to buy new systems on a frequent basis to deal with new versions of operating systems.

ICS owners, on the other hand, have invested money in their control systems that they expected to see remain in operation for a long time; an eternity in IT-system years. In addition, they have to consider the compatibility of the new control system version with a large number of existing peripheral devices. Even where compatibility may have been assured, modifications made on-site to control devices may render them incompatible with the new system.

Even when the new systems are ‘completely compatible’ with existing equipment, control-systems are not operating in a plug-and-play environment like we see in modern IT systems. Extensive tuning may be required before the control system operates effectively, and multiple iterations of that tuning may be required because of process interactions with other devices.

Making the decision to upgrade to a new version of a control system is not a decision to be made lightly. Vendors should also realize that many organizations, when forced to make such a decision, may decide that it makes for an opportune time to change vendors. I have been in an organization that made just such a decision; the time and effort that would have been required to upgrade was not that much different than that for going to a new system. The other vendor had capabilities that we had wanted to add to our system, but was not worth the hassle of a change on their own. We figured that since we were changing anyway we might as go all the way.