Reader Comment - Schneider S4x18 Presentation

Yesterday Toshio Miyachi posted a reply to my latest public ICS disclosure blog post providing a link to the Schneider Electric TRISIS presentation at S4x18. Just finished watching the 26-minute video and it is well worth the time to view it. Dale Peterson’s opening comments are right on point about both the tactical and strategic (my terminology, not Dale’s) importance of this video.

An easy to overlook part of this presentation starts at about 5:14 into the video where Paul Forney outlines the people that helped in the TRISIS incident analysis. The slide shown at 5:14 minutes provides a short list which Paul expands upon.. Two points that I want to make about this. First ICS-CERT is not mentioned, it’s parent organization, NCCIC, gets credit for the work done predominantly (I would suspect) by the technical folks at ICS-CERT.

The second item is the credit that Forney gives to DOD for coordinating the government efforts in the data collection and analysis effort. I suspect that this was predominantly Cyber Command. While this says good things about the control system understanding of DOD, I think that this could raise posse comitatus concerns if the incident had occurred in the United States. If DOD is going to be an important player in cybersecurity response, Congress needs to specifically outline the legal permissible limits of that involvement. Otherwise, the NCCIC is going to have to beef up its capabilities to accept that role.

Public ICS Disclosures – Week of 1-25-18

This week we have a new coordinated disclosure for a Sprecher Automation remote terminal unit (RTU), exploit code for an Advantech WebAccess vulnerability and a late discussion of new information on the TRISIS attack.

Sprecher

SEC Consult Vulnerability Lab published a vulnerability report on the FullDisclosure.com web site this week for multiple vulnerabilities in the Sprecher SPRECON-E-C RTU. It reports five vulnerabilities (with proof of concept code), including:

• Authenticated path traversal;

• Client-side password hashing;

• Missing authentication;

• Permanent denial of service via port scan; and

• Outdated Linux kernel.

Three of the five vulnerabilities have reportedly been fixed and work arounds have been provided for the other two.

Advantech Exploit

Chris Lyne published exploit code on the ExploitDataBase.com web site this week for an SQL injection vulnerability in the Advantech WebAccess application. The vulnerability was included in a recent ICS-CERT Advisory that was most recently updated on January 11^th. For obvious reasons, ICS-CERT did not mention the publicly available exploit code and they have not made it a practice to further update their advisories to report the presence of exploits.

TRISIS Update

Most readers will probably be familiar with the Schneider presentation at S4X18 about new information on the recent attack on a Triconex safety system. The Schneider reported that they discovered a zero-day vulnerability used by the attacker and have provided a firmware update that mitigates the vulnerability. Schneider updated their security notification to reflect the new information.

ICS-CERT published a malware report not a control system advisory for the situation. It did provide a link to the original Schneider notification. I do not expect ICS-CERT to update their malware report, but I have been hoping to see an advisory for the newly reported vulnerability.

I cannot wait for DigitalBond to make the Schneider presentation available on their site.

Publicly Disclosed ICS Vulnerabilities – Week of 12-23-17

This week we have two vendor notifications that were not covered by ICS-CERT. These were for products from Siemens and ABB.

Siemens Update

Siemens announced another update to their July advisory about vulnerabilities in their SIPROTEC 4 and SIPROTEC Compact devices. ICS-CERT updated their advisory for the previous Siemens update, but has not done so for this one. I suspect this is a holiday delay.

Siemens is providing updated version information and mitigation measures for their SIPROTEC 7UT686.

ABB Advisory

Joel Langill provided a link to an ABB security advisory linked to the TRITON/TRISIS/HATMAN malware. While the TTH attack did not involve any ABB products, the company notes that “conceptually a similar attack can be leveraged against any safety system with a sufficiently similar design concept”. The advisory then goes on to provide a link to a product specific advisory (registration required) for the ABB System 800xA High Integrity safety instrumented system.

Since I am not a registered user I do not have access to the advice provided by ABB but I suspect that it pretty much reiterates standard security protocols for the device. That is not a bad thing in view of some the lapses reported in both the Dragos and FireEye reports. In fact, it might be a good idea for all vendors of safety instrumented systems to review those two reports and provide a security update for their products that emphasizes the lessons learned in the Saudi attack.