Review - 1 Update Published – 1-11-22

Today, CISA’s NCCIC-ICS published an update for a control system security advisory for products from Mitsubishi. I also look at the current state of the response to the OT:ICEFALL report.

Mitsubishi Update - This update provides additional information on an advisory that was originally published on August 9th, 2022 and most recently updated on August 30^th, 2022.

OT:ICEFALL Update

Back in June Forescout’s Vedere Labs published their report on OT:ICEFALL. Readers will likely remember that the report identified 56 vulnerabilities over control system products from nine different vendors. CISA’s NCCIC-ICS did not publish an alert when Forescout’s report was published (even though it contained proof-of-concept code); instead, they approached the individual vendors and attempted to coordinate disclosure on the individual product lines.

Starting on June 21^st CISA began issuing what has been to date 18 advisories with the latest one being issued on August 30^th. While that covers all of the vendors listed in the Vedere Labs report, it does not address all of the vulnerabilities, nor have I found vendor advisories that cover the 12 vulnerabilities not yet covered by NCCIC-ICS.

For more details about the advisory and the OT:ICEFALL status, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/1-update-published-1-11-22 - subscription required.

Review – 3 Advisories Published – 8-9-22

Today, CISA’s NCCIC-ICS published three control system security advisories for products from Emerson (2) and Mitsubishi.

Emerson Advisory #1 - This advisory discusses two OT:ICEFALL vulnerabilities in the Emerson OpenBSI network communications services.

Emerson Advisory #2 - This advisory discusses one OT:ICEFALL vulnerability in the Emerson ControlWave programmable controller.

Mitsubishi Advisory - This advisory discusses two vulnerabilities in the Mitsubishi GT SoftGOT2000.

OT:ICEFALL Update - With today’s advisories there are still 14 vulnerabilities included in the OT:ICEFALL report that have not yet been reported by NCCIC-ICS.

 

For more details on these advisories, including links to 3^rd Party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-8-9-22 - subscription required.

CISA Publishes Notice About OT:ICEFALL

Today CISA published a notice on their Current Activity page on “CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report”. It lists the NCCIC-ICS advisories that were published yesterday that were based upon the OT:ICEFALL report. While those advisories mentioned the Report, they did not provide links to it. This notice not only provides a link to the document but specifically mentioned that the researchers were from Forescout.

Reading this notice, it would be easy to assume that the five listed advisories provided an exhaustive list of the 56 vulnerabilities reported by Vedere Labs. It does not report that there are other vendors affected, much less list those vendors. Again, as I mentioned yesterday NCCIC-ICS should have published an OT:ICEFALL advisory that lists the known affected vendors and the full list of 56 vulnerabilities reported by Forescout.

Oh, and no one at CISA is mentioning that these 56 vulnerabilities are going to be affecting an as of yet unknown number of other ICS products as third-party vulnerabilities.

Review - 6 Advisories Published – 6-21-22

Today, CISA’s NCCIC-ICS published six control system security advisories for products from Siemens, Phoenix Contact (3), JTEKT, and Mitsubishi. All but the Mitsubishi vulnerabilities reported today by NCCIC-ICS were originally reported by Forescout’s Vedere Labs in their OT:ICEFALL report.

NOTE: Phoenix Contact republished an earlier, related advisory, that I will discuss this weekend.

OT-ICEFALL Report - “Vedere Labs has identified a set of 56 vulnerabilities affecting devices from 10 operational technology (OT) vendors that we are collectively calling OT:ICEFALL [link added].”

Siemens Advisory - This advisory discusses a use of client-side authentication vulnerability in the Siemens SIMATIC WinCC OA SCADA HMI system.

NOTE: ETM, the Siemens subsidiary that developed WinCC OA, published this article on the reported vulnerability disclosure/response process.

Phoenix Contact Advisory #1 - This advisory discusses a missing authentication for critical function vulnerability in the Phoenix Contact classic line industrial controllers.

Phoenix Contact Advisory #2 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact ProConOS software development kit.

Phoenix Contact Advisory #3 - This advisory discusses an insufficient verification of data authenticity vulnerability in the Phoenix Contact classic line industrial controllers.

JTEKT Advisory - This advisory discusses a missing authentication for critical function vulnerability in the JTEKT TOYOPUC PLCs.

Commentary

Back in 2012 when the original Project Basecamp disclosures (note most of the 2012 links no longer work) documented some of the problems that have been lumped into the term ‘insecure by design’, I had hoped that the control system vendor community would take a hard look at the security assumptions that they had made in designing their control system products. While a great deal of progress has occurred (just look at the vendor names that are not included in OT:ICEFALL report), too many vendors still assume that owner operators will (or even can) only use their devices in ‘secure networks’.

I am disappointed that NCCIC-ICS did not produce an alert based upon the OT:ICEFALL report and call out each of the vendors to report on their response. This is what the old ICS-CERT did (reluctantly to be sure) with the original Project Basecamp reports. In many ways, that Alert, did much to amplify the work that the researchers did and ended up expanding the industry’s work on increasing the basic security of control systems. The work is not done, but today’s advisories will help.

BTW: The original, mostly uncoordinated, Project Basecamp disclosures created a bit of controversy about coordinated disclosure. See my discussion about that controversy here.

 

For more details about these advisories, including a list of the 10 vendors identified in OT:ICEFALL, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-published-6-21-22 - subscription required.