If you read my blog post yesterday over at CFSN Detailed Analysis (subscription required) you might have noticed an oddity about the 13 updates published by Schneider Electric last week, an oddity that explains why Schneider published so many updates on this latest Cyber Tuesday. They were busy correcting a series of cybersecurity issues in their Modicon M580 CPU Safety product, issues that in one case dated back to 2018 (based upon the original advisory date). Ten of the 13 published updates listed fixes to the M580.
Only one of the advisories updated last week had been addressed by CISA (ICSA-20-016-01). This lack of coverage by CISA is not their fault, they can only address what is reported to them. That advisory was based upon vulnerability information reported to CISA by Nozomi Networks.
There are all sorts of reasons that a company would take so long to fix known vulnerabilities in products. And, to be fair, six years is probably not a record. But what concerns me is that this product is a safety system. In most of these advisories the M580 was the last affected product to ‘fixed’. I suspect that this level of priority was due to the fact that ‘everyone knows’ that you do not connect safety systems to any outside network. Well, that is what people use to know. I have not seen any data on this, but I would bet that more and more safety systems are being connected to the corporate networks, so ‘concerned people’ can check on the systems remotely.
Anyone want to share anonymous examples???
Posts
No comments:
Post a Comment