Tag Archives: Rockwell

CISA-ICS CERT Releases 4 ICS Advisories

Earlier this month Homeland Security released 4 different advisories for industrial control system vulnerabilities. This comes in the wake of a successful breach of a water treatment plant in Florida. While that hack took advantage of poor cyber hygiene practices (obsolete unpatched software, shared passwords, etc.), it did call attention to the fact that our critical infrastructure is under attack.

#1 – JOHNSON CONTROLS EXACQ TECHNOLOGIES EXACQVISION

DHS says this vulnerability is remotely exploitable and requires only a low skill level to exploit. It affects all supported versions of the software and can expose sensitive information of hackers. For more details see this ICS CERT ADVISORY.

#2 – Hitachi ABB Power Grids eSOMS

Again, DHS says that this vulnerability requires only a low skill level to exploit. This vulnerability allows a hacker to gain access to report data. For more details see this ICS CERT ADVISORY.

#3 – Hitachi ABB Power Grids eSOMS Telerik

This is a different Hitachi ABB problem and it is related to path traversal (get to a directory that they should not have access to), deserialization of untrusted data, improper input validation, inadequate encryption and insufficiently protected credentials. This scores a 9.8 (out of 10) on the vulnerability Richter scale. A hacker could upload malicious files, steal sensitive data and execute arbitrary code. For more details see this ICS CERT ADVISORY.

#4 – Rockwell Automation Logix Controllers

This is an update to the alert issued last month and this one rates a 10 out of 10 on the vulnerability rating scale. This one is also exploitable remotely and requires low skill to exploit. The vulnerability would allow a hacker to bypass the login requirement, alter the system’s configuration or change the code in the controller. For more information on this alert, see this ICS CERT ADVISORY.

If we look at this as a whole, what do we see:

  • Most can be executed remotely
  • Not limited to a single vendor
  • Most require low skill to achieve
  • Hackers can steal data and/or corrupt the system

If these attacks were applied to systems like the Florida water system that was compromised, you could, potentially, cause physical damage (like an explosion), turn off services (like turn off power or gas) or poison people (as could have happened in the Florida water treatment plant attack).

The other problem is that industrial control system owners are notorious for not applying patches. They are concerned, probably rightfully, that a patch could cause an outage (Microsoft or Apple never, ever, broke anything when applying patches, right?) or stop the system from working.

Unfortunately, given the typically poor cyber hygiene practices and the increased connectivity to the Internet of these systems, along with the information about the vulnerabilities that are now publicly available, don’t be surprised if hackers take advantage of this.

As a consumer, unfortunately, there is not much that you can do. That means that regulators, who are often in bed with the regulatees (the Chairman of the Texas PUC was just caught on tape reassuring investors that the millions of dollars they stole from Texans during the deep freeze this month was safe and they would not be forced to give it back. AFTER the recording was made public, the Governor asked him to resign – only AFTER). Given the often too cozy relationship between the PUCs and utilities, I am not counting on much pressure, but we can hope.

Security News for the Week Ending February 26, 2021

DoD Working on CMMC-Fedramp ‘Reciprocity’ by Year End

CMMC, the DoD’s new cybersecurity standard is designed to measure security practices of companies and the servers in the computer rooms and data centers. But what about the stuff in the cloud. That is covered by another government standard called FedRAMP. But those two standards have different rules and contractors who have both need to figure out how to comply with two competing standards. DoD is working on this and plans to have a solution by September. One challenge is that FedRAMP allows for a ‘To-Do’ list – stuff we will fix when we get to it and CMMC does not. Harmonizing these two standards is critical for defense contractors. Credit: Defense Systems

The Risk of NSA’s Offensive Security Strategy

The NSA has, for decades, favored offensive security (hacking others) over defensive security (protecting us). The Obama administration created a process called the vulnerabilities equities process to try and rationalize keeping bugs secret to use against others vs. telling vendors so that they could fix them. Check Point research published a report talking about one failure where the Chinese figured out the bug we were using, one way or another and used it against us. That is the danger of offensive security. Read the details here. Credit: The Register

HINT: When Your Vendor Tells You it is Time to Upgrade – Listen

Airplane maker Bombardier is the latest entry into the club of companies who were compromised with Accellion’s decades old FTA file transfer system. What was likely stolen was intellectual property. Accellion has been trying to get customers off this decades old platform for 5 years. Now they say they are going to formally end-of-life the old software in April. 300 customers did not listen. At least 100 were compromised. Credit: ZDNet

Microsoft Asks Congress to Force Companies to Disclose Breaches

Microsoft’s president Brad Smith testified at a Senate Intelligence Committee hearing this week about the SolarWinds breach. Smith said that the private sectors should be legally obligated to disclose any major hacks. None of the other CEOs who testified argued with Smith. The details of who, how, when, etc. are note easy to figure out as is the penalty for breaking the law. I suspect that the overwhelming majority of breaches are never reported to anyone because there is no incentive to do so. Credit: The Register

DHS-CISA Reveals Authentication Bypass of Rockwell Factory Controllers

Rockwell industrial automation controllers used in places like factory floors can be compromised by a remote hacker if they can install some malware on the network. The bug has a severity score of 10 out of 10. The compromise would allow hackers to upload firmware of their choosing and download data from the controller. The bug was initially disclosed to Rockwell in 2019. Credit: Security Week