Review - 6 Advisories Published – 6-21-22

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Siemens, Phoenix Contact (3), JTEKT, and Mitsubishi. All but the Mitsubishi vulnerabilities reported today by NCCIC-ICS were originally reported by Forescout’s Vedere Labs in their OT:ICEFALL report.

NOTE: Phoenix Contact republished an earlier, related advisory, that I will discuss this weekend.

OT-ICEFALL Report - “Vedere Labs has identified a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors that we are collectively calling OT:ICEFALL [link added].”

Siemens Advisory - This advisory discusses a use of client-side authentication vulnerability in the Siemens SIMATIC WinCC OA SCADA HMI system.

NOTE: ETM, the Siemens subsidiary that developed WinCC OA, published this article on the reported vulnerability disclosure/response process.

Phoenix Contact Advisory #1 - This advisory discusses a missing authentication for critical function vulnerability in the Phoenix Contact classic line industrial controllers.

Phoenix Contact Advisory #2 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact ProConOS software development kit.

Phoenix Contact Advisory #3 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact classic line industrial controllers.

JTEKT Advisory - This advisory discusses a missing authentication for critical function vulnerability in the JTEKT TOYOPUC PLCs.

Commentary

Back in 2012 when the original Project Basecamp disclosures (note most of the 2012 links no longer work) documented some of the problems that have been lumped into the term ‘insecure by design’, I had hoped that the control system vendor community would take a hard look at the security assumptions that they had made in designing their control system products. While a great deal of progress has occurred (just look at the vendor names that are not included in OT:ICEFALL report), too many vendors still assume that owner operators will (or even can) only use their devices in ‘secure networks’.

I am disappointed that NCCIC-ICS did not produce an alert based upon the OT:ICEFALL report and call out each of the vendors to report on their response. This is what the old ICS-CERT did (reluctantly to be sure) with the original Project Basecamp reports. In many ways, that Alert, did much to amplify the work that the researchers did and ended up expanding the industry’s work on increasing the basic security of control systems. The work is not done, but today’s advisories will help.

BTW: The original, mostly uncoordinated, Project Basecamp disclosures created a bit of controversy about coordinated disclosure. See my discussion about that controversy here.

 

For more details about these advisories, including a list of the 10 vendors identified in OT:ICEFALL, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-21-22 - subscription required.