Today the DHS ICS-CERT published a control system security
advisory for products from PHOENIX CONTACT. They also provided a link to a
British publication: “Code of Practice CyberSecurity for Ships”.
PHOENIX CONTACT Advisory
This advisory
describes ten improper access control vulnerabilities in the PHOENIX CONTACT mGuard
Device Manager. The vulnerabilities are related to
the Oracle Java SE implementation in the product. These vulnerabilities were
self-reported by PHOENIX CONTACT. They have a new version that mitigates the
vulnerabilities.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to allow unauthorized remote
access, modification of data, and may allow remote and local users to gain
elevated privileges.
Once again, we see a vulnerability caused by third party
software and there is an open question about what other software systems have
the same vulnerabilities. Interesting though that these 10 Oracle
vulnerabilities are all dated in 2017. Makes it even more likely that other
vendors using the same Oracle software will have not discovered/mitigated the
vulnerabilities in their products.
Cyber Security for Ships
The code of practice document was produced for the British
Government by the Institution
of Engineering and Technology. It provides a high-level overview of the
topic including an interesting overview of the threat environment for the
shipping industry. Appendix D provides a non-technical description of how
mitigation measures can be developed and Appendix H provides a lengthy
bibliography of cybersecurity standards for both IT and operational systems.
Posts
No comments:
Post a Comment