ICS-CERT Publishes Repetitive Hart DTM Advisory

Today the DHS ICS-CERT published another advisory for the CodeWrights Hart-DTM vulnerability that was originally reported in January. This time it was for a large number of devices from Endress+Hauser. Interestingly Endress+Hauser had already been added to the latest version of the CodeWrights version (C) of the advisory published in February.

The only new information in this advisory in this new advisory is the extensive list of E+H affected products and the fact that E+H had finally gotten around to updating the version of the CodeWrights library that they were using.

Nothing to see here move along.

Oh wait. There was an interesting tweet from ICS-CERT this afternoon before they announced the new advisory. It seems that they have recently updated/revised/whatever their public PGP key for secure submission to ICS-CERT. This is certainly important news. Fortunately they tweeted it because there is nothing on their web page that indicates that the key had been changed.

Instead of providing a direct link to the PGP key they send you to the main landing page. To find the link to the key you have to scroll all the way to the bottom of the page and click on “Download PGP/GPG keys”. This is NOT a download link but a link to the page where you can copy the PGP key.

I got there by a slightly more circuitous route starting with clicking on the “Report an Incident” button near the top of the same page. That page provides some interesting information on reporting stuff to ICS-CERT and is good to know. Near the bottom of the page it says:

“Organizations can download our PGP key at https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT.asc”

Don’t waste your time clicking on that link unless you want to see the ICS-CERT 404 page; nothing special there. Fortunately there is the same “Download PGP/GPG keys” link on the bottom of this page to take you to the real PGP key.

At least I think this is the new key. Nothing on the web site mentions that the key has been changed. This is getting to be a real problem on the ICS-CERT web site. There is no way to tell if something is new or old.

ISC-CERT Updates DTP and HART-DTM Information

Today the DHS ICS-CERT published two new HART-DTM related advisories, updated the CodeWrights HART-DTM advisory, updated the NTP Advisory and published their promised NTP supplement. It was a busy information afternoon for ICS-CERT.

NTP Information

The third update to the ICS-CERT advisory on the NTP vulnerabilities was simply a change to add a link to the promised supplement addressing vendor specific information about how those vulnerabilities are implemented in specific products. That Supplement currently lists affected products (and mitigation measures) from/for the following vendors:

● Arbiter Systems;

● Innomoninate;

● Meinberg;

● Siemens; and

● Wind River System;

The Supplement does not currently list reportedly unaffected products. Updates to this Supplement are expected.

HART-DTM Information

The third update to the CodeWrights HART-DTM advisory provides some new information about affected systems, including adding Honeywell to the list of potentially affected vendors. Interestingly GE-MAKTec was not included on the list even though ICS-CERT published an advisory about their HART-DTM vulnerabilities today. The Update has also provided links to ICS-CERT advisories for Emerson, Honeywell, Magnetrol, and Pepperl+Fuchs.

There is some additional clarification about the potential impact of successful exploits of this vulnerability. ICS-CERT notes that it only affects the Field Device Tool (FDT) Frame Application. Since that application is only used for configuration changes, ICS-CERT reports that a successful exploit “does not result in loss of information, control, or view by the control system of the HART devices on the 4-20 mA HART Loop”.

ICS-CERT continues to emphasize how difficult it would be to craft an exploit for this vulnerability. Interestingly, they have removed the comments about compromised physical access to the 4 mA to 20 mA current loop. They emphasize that an exploit is possible from “any adjacent network that receives or passes packets from the HART Device DTM”.

The new advisories for Pepperel+Fuchs products and products from GE and MAKTec (GE provides the DTM software for the MAKTec Bullet Adapter DTM according to a GE Advisory) provide basically the same information as the current CodeWrights advisory.

Consistency of Information Sharing

It seems odd that ICS-CERT is issuing individual advisories for vendors affected by the HART-DTM vulnerability but issues a supplement for the advisory that lists those affected by the DTP vulnerability. In most ways it really does not make a difference which process ICS-CERT uses and they are under no mandate or obligation to maintain any sort of consistency in their methodology.

Having said that the multiple advisory process being used with the HART-DTM vulnerability does present a problem. The two advisories issued today share the same language as that found in the current version of the CodeWrights advisory. The Emerson and Magnetrol advisories share the language with the previous version of the CodeWrights advisory. This means that ICS-CERT really should have offered updates of those two advisories today as well. And when the next change takes place, they will have to update all five advisories (plus any others issued in the interim). Using the DTP advisory/supplement model, only one advisory needs to be updated when information on the base vulnerability changes.