Thursday, June 11, 2015

ICS-CERT Publishes Another Wind Turbine Associated Advisory

This afternoon DHS ICS-CERT published an advisory for an unsecure credential vulnerability in the RLE International GmbH Nova-Wind Turbine HMI. The vulnerability was reported by Maxim Rupp. ICS-CERT advises that RLE has been unresponsive in validating or addressing the alleged vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to access the device and make changes to the configuration without authentication.

ICS-CERT has apparently completely given up on RLE. Instead of the standard generic mitigation measures that they typically apply to almost every advisory ICS-CERT simply reports that:

“ICS-CERT has attempted on multiple occasions to contact the vendor regarding this serious flaw and have according to our vulnerability disclosure policy now produced this advisory. Insecure credential vulnerabilities create a serious risk to asset owners. ICS-CERT strongly recommends ensuring that the impacted product is not connected to the Internet or any network as this vulnerability is remotely exploitable.”

That is probably as close as ICS-CERT can come to saying .junk it for your own protection’.

No comments:

/* Use this with templates/template-twocol.html */