Yesterday morning the DHS ICS-CERT published an updated version
of the ABB Panel Builder Advisory that was
published last week. A number of minor revisions were made to the advisory.
First the advisory reiterates that version 6.0 of the
program was not affected by the reported vulnerability. Not sure why this was
needed since only version 5.1 was mentioned as being affected and a
recommendation that users upgrade to version 6.0 had been included in the
original.
Second there is a clarification that the vulnerability is in
the program used to construct Panel 800 HMI’s not in the HMI’s themselves as
was implied in the original version. Interestingly this change was followed by
a revised deployment description based upon that also corrects the above
confusion between the Builder and the HMI. The interesting thing is that this
change is made outside of the designated change boundary for change 2 of 4; a
minor nit-picking point to be sure.
The third change is the addition of two vanilla security
mitigations that are generally applicable to any operation and are not specific
to this vulnerability. ICS-CERT advisories routinely include such mitigation
measures, but these two were specifically recommended by ABB.
The last change is the addition of a link to the ABB Cyber
Security Advisory for this vulnerability. I had provided this same link in my
earlier blog post.
NOTE: I missed this when I did my post last night about the
new Siemens advisory. The wife and I are moving this week and I only have
limited internet access, so I was moving too fast to notice the subtle change
in the listing for this advisory. I didn’t notice it until I checked my Twitter®
feed and by then I didn’t have enough time to go back and revise the earlier
post.
Posts
No comments:
Post a Comment