ICS-CERT Published Newport Advisory

Today the DHS ICS-CERT published a control system security advisory for an improper authentication vulnerability in the Newport XPS-Cx and XPS-Qx controllers. The vulnerability was reported by Maxim Rupp. Newport will reportedly address this vulnerability in the next generation XPS-Dx controller.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating by accessing a specific uniform resource locator (URL).

Commentary

It never ceases to amaze me when a company refuses to fix security issues in a current product, but expect customers to buy the next product that ‘will fix’ this problem. Why would anyone expect them to support that next product when a new vulnerability is found?

Of course, that assumes that their current (or future) customers will hear about this vulnerability. It was published in this advisory, but how many owners, ICS security managers, control system engineers, or integrators actually read these advisories (or are even aware that they exist)? Unless the company proactively forces notification to all of its current (and past) customers, there are going to be some number (high, medium or low %, who knows) that never get the word and remain vulnerable by default.

This is a problem that critical infrastructure security regulators are going to have to address. Cybersecurity plans must address the measures that covered facilities are going to take to identify known vulnerabilities in their systems so that they can do a proper risk assessment to identify the mitigation measures (if any) that the facility will take to address the known vulnerabilities

This topic is not addressed in the Chemical Facility Anti-Terrorism Standards (CFATS) Risk-Based Performance Standards (RBPS) guidance document. We are still waiting on the Coast Guard cybersecurity guidance document. I am not sure if it is adequately addressed in the NERC regulations.