Wednesday, August 7, 2013

ICS-CERT Publishes SEL Advisory

This afternoon the DHS ICS-CERT published an advisory for dual improper input validation vulnerabilities in the Schweitzer Engineering Laboratories’ (SEL) real-time automation controllers (RTAC). The vulnerabilities were reported by Adam Crain of Automatak and Chris Sistrunk in coordinated disclosures.

ICS-CERT reports that these vulnerabilities (one for serial connections and a separate one for IP-based connections; NOTE links will not work for a day or two) could be remotely exploited by a moderately skilled attacker, executing a denial of service attack. SEL has developed a CD-ROM based upgrade packet to mitigate the vulnerabilities. ICS-CERT reports that Crain and Sistrunk have validated the efficacy of the upgrades.

I tried to review the SEL information on these vulnerabilities, but it was not directly available on their web site. Instead SEL allows people with corporate email accounts to sign up to receive distributed information on SEL security notices. Anyone owning any SEL control system equipment should sign up for this service.


Adam Crain said...

SEL gets top marks for their handling. Very professional. The notified customers prior to the ICS-CERT advisory with the appropriate information.

PJCoyle said...

Thanks for the insight Adam. I was slightly disappointed that their advisory wasn't posted on their site (like Siemens does), but if sending it directly to the user makes lots of sense. I just hope that their sales staff is pushing customers to sign up for the service.

/* Use this with templates/template-twocol.html */