Public ICS Disclosures – Week of 08-11-18

This week we have three vendor disclosures from Yokogawa (2), and Belden and an advisory update from Siemens. There are also two disclosures from vdeCERT for products from Phoenix Contact and WAGO. Both of those disclosures pointed to an interesting research paper on “Measuring PLC Cycle Times under Attacks”.

Vnet/IP Network Switches Advisory

Yokogawa reports a debug vulnerability in their Vnet/IP network switches. The vulnerability is due to a third-party software issue (see Belden below). Yokogawa reports a work around since there “is no provision of firmware’s which are countermeasures against this vulnerability”.

License Management Advisory

Yokogawa reports a buffer overflow vulnerability in the license management function in a number of their products. Yokogawa has an update that mitigates the vulnerability. The advisory notes that ICS-CERT has been notified so there is a strong chance that this will be reported by ICS-CERT in the coming week.

Belden Advisory

Belden reports (.PDF Download) 16 separate vulnerabilities in the TCPdump functionality of their OWL industrial routers and HiOS ethernet switches. Belden provides a work around and notes that the TCPdump functionality is inactive by default.

NOTE: This advisory is actually dated July 27^th, 2018 (and outside of this week’s window), but because of its relation to the Yokogawa advisory it is being included here because of the potential for other vendors being affected. Also note that the CVE’s for the vulnerabilities date back to 2016 and 2017. That indicates that either it took a long time to figure out the minor workaround, or Belden was not really concerned about these vulnerabilities.

Siemens Update

Siemens updated their general customer advisory for the Spectre/Meltdown vulnerabilities. The advisory was last updated on July 17^th, 2018.This update adds information on the L1 Terminal Fault / Foreshadow versions of the vulnerabilities.

NOTE: The latest version (update H) of the ICS-CERT alert on Spectre/Meltdown still does not mention the newer variants of the vulnerabilities reported in this Siemens advisory.

Phoenix Contact Advisory

VDE-CERT reports an uncontrolled resource consumption vulnerability in the Phoenix Contact ILC 1x1 ETH. The vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin) and Florian Fischer (Hochschule Augsburg). A generic workaround has been provided.

WAGO Advisory

VDE-CERT reports an uncontrolled resource consumption vulnerability in the WAGO 750-8xx Controllers. he vulnerability was reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin) and Florian Fischer (Hochschule Augsburg). A generic workaround has been provided.

Measuring PLC Cycle Times under Attacks

The research paper that pointed out the Phoenix Contact and WAGO vulnerabilities discussed above provides an interesting look at the possibility of detecting on-going control-system attacks by monitoring PLC cycle times. As an academic look at this potential attack detection technique, this paper is well worth reading. From a process chemist’s point of view this points out a specific, unintended process problem, that these attacks might pose that also provide an indication of an on-going cyber-attack.

One of the problems that a process engineer/chemist has to deal with in designing a control system scheme in the chemical industry (and that is probably true for other industries as well) is the lag time between when a process indicator (sensor) notes that a process state needs to be changed and when the process actuator (valve for example) can complete its action to effect that change. A great deal of effort goes into ‘tuning’ the system to minimize the potential adverse impacts caused by that time lag.

This paper notes that a variety of attacks can affect the lag time within the PLC. Normally, this portion of the total lag time is small and nearly constant, so it is essentially ignored in the tuning process. This paper notes that in some attacks the lag time can be increased by up to several seconds (this can be an eternity in critical portions of many chemical reactions). To make things even more interesting it appears that TCPdump attacks (like those discussed in the Yokogawa and Belden advisories above) can actually speed-up the PLC processing and decrease the overall lag time, creating a whole new set of process problems.

This means that certain types of process upsets can be an indication of on-going cyber-attacks on control systems. To say the least, this complicates the job of the process overseers (another root cause possibility that needs to be examined), but it could provide control systems engineers with a warning to check their systems for other signs of attacks.