Today, CISA’s NCCIC-ICS published six control system security advisories for products from Siemens, Phoenix Contact (3), JTEKT, and Mitsubishi. All but the Mitsubishi vulnerabilities reported today by NCCIC-ICS were originally reported by Forescout’s Vedere Labs in their OT:ICEFALL report.
NOTE: Phoenix Contact republished an earlier, related advisory, that I will discuss this weekend.
OT-ICEFALL Report - “Vedere Labs has identified a set
of 56 vulnerabilities affecting devices from 10 operational technology (OT)
vendors that we are collectively calling OT:ICEFALL
[link added].”
Siemens Advisory - This advisory discusses
a use of client-side authentication vulnerability in the Siemens SIMATIC WinCC
OA SCADA HMI system.
NOTE: ETM, the
Siemens subsidiary that developed WinCC OA, published this article
on the reported vulnerability disclosure/response process.
Phoenix Contact Advisory #1 - This advisory discusses
a missing authentication for critical function vulnerability in the Phoenix
Contact classic line industrial controllers.
Phoenix Contact Advisory #2 - This advisory discusses
an insufficient verification of data authenticity vulnerability in the Phoenix
Contact ProConOS software development kit.
Phoenix Contact Advisory #3 - This advisory discusses
an insufficient verification of data authenticity vulnerability in the Phoenix
Contact classic line industrial controllers.
JTEKT Advisory - This advisory discusses a missing authentication for critical function vulnerability in the JTEKT TOYOPUC PLCs.
Commentary
Back in 2012 when the original Project Basecamp disclosures (note most of the 2012 links no longer work) documented some of the problems that have been lumped into the term ‘insecure by design’, I had hoped that the control system vendor community would take a hard look at the security assumptions that they had made in designing their control system products. While a great deal of progress has occurred (just look at the vendor names that are not included in OT:ICEFALL report), too many vendors still assume that owner operators will (or even can) only use their devices in ‘secure networks’.
I am disappointed that NCCIC-ICS did not produce an alert based upon the OT:ICEFALL report and call out each of the vendors to report on their response. This is what the old ICS-CERT did (reluctantly to be sure) with the original Project Basecamp reports. In many ways, that Alert, did much to amplify the work that the researchers did and ended up expanding the industry’s work on increasing the basic security of control systems. The work is not done, but today’s advisories will help.
BTW: The original, mostly uncoordinated, Project Basecamp
disclosures created a bit of controversy about coordinated disclosure. See my
discussion about that controversy
here.
For more details about these advisories, including a list of
the 10 vendors identified in OT:ICEFALL, see my article at CFSN Detailed Analysis
- https://patrickcoyle.substack.com/p/6-advisories-published-6-21-22
- subscription required.
Posts
No comments:
Post a Comment