Covert Emerson vuln Update

On December 2, ICS-CERT pushed an update to a vulnerability advisory for Emerson ROC RTUs. The original advisory was published on September 26, 2013.

ROC update

Most ICS-CERT advisory updates include incremental information, such as the vendor identified more vulnerable versions, or the vendor released a patch. When you open up the Emerson ROC vulnerability update that is the impression you get:

ROC update 1

So, when you read this, you believe that Emerson has released a patch and that the patch has been validated by the researchers who disclosed the vulnerabilities. Seems simple enough.

But keep reading and you see that the little update wasn’t so little:

ROC update 2

Capture replay is a HUGE deal. Essentially this means that a lack of authentication for communications allows an attacker to send the vulnerable RTU whatever commands he had previously recorded.

But it’s okay, because it has been patched right? I mean “Update A part 1 of 3” says in direct terms:

Emerson Process Management has produced a patch that mitigates these vulnerabilities.

Well, keep plowing into the depths of the document, because you may never guess what’s coming next:

ROC update 3

That’s right: There is no patch! This could be interpreted to mean that there is no patch. You need may actually need to install another device on your network to mitigate the issue.

My conclusion: Many vulnerability communications are not serving the needs and interests of firms that are actually operating critical infrastructure.

Critical Intelligence conducts its own analysis of every ICS vulnerability it comes across to make sure the utilities, water facilities, and refineries operating industrial systems:

  • Don’t miss publicly disclosed vulnerabilities
  • Don’t get lost in the details
  • Accurately understand the possible impacts to the processes they run

If you are really trying to protect critical infrastructure, then you’ve got to communicate clearly. To get that type of communication, subscribe to the Core ICS Intelligence Service.

UPDATE Dec. 18, 2014: ICS-CERT now confirms that the Emerson patch did not address the capture-replay attack.

Pipeline cyber explosion — yesteryear’s news

Reading through the news, I came across the Bloomberg BTC pipeline explosion piece.

pipeline cyber

If cyber attacks on the pipeline were news to you, they shouldn’t have been.
Critical intelligence covered the cyber aspect of this story (though perhaps not in the same set of details) in its report entitled “Report claims Russia conducted cyber attack on strategic pipeline” issued August 30, 2009. Critical Intelligence has made the report publicly available.

Among the interesting things we found those five years ago was an advanced technology threat assessment for the pipeline.

If you don’t want to hear about ICS security events five years later, subscribe to the Critical Intelligence Core ICS Intelligence Service

Warning Intelligence and negligence

I thought this was pretty big news:

“Judge rules that banks can sue Target for 2013 credit card hack”

Target case

Here’s the key quote from the actual decision:

Plaintiffs have plausibly alleged that Target’s actions and inactions—disabling certain security features and failing to heed the warning signs as the hackers’ attack began—caused foreseeable harm to Plaintiffs. Plaintiffs have also plausibly alleged that Target’s conduct both caused and exacerbated the harm they suffered. And Plaintiffs’ allegation that Target was solely able and solely responsible to safeguard its and Plaintiffs’ customers’ data is also plausible. Imposing a duty on Target in this case will aid Minnesota’s policy of punishing companies that do not secure consumers’ credit- and debit-card information.

I was particularly interested in “failing to heed the warning signs” part. As an intelligence professional, I have always found wisdom in the statement “willing ignorance is negligence”. Now we have a case where in the cyber world that may ultimately ring true.

Pointing to possible implications for critical infrastructure, we might consider Internet-connected ICS, including engineering lap tops with access to Web and Email. We have numerous documented cases where these configurations have led to compromise (see Havex and Black Energy).

If one of these led to real physical damage, I imagine the law suits would fly (assuming of course that the “cyber” cause could be accurately ascertained).

After five years of warning about the problems of connectering-up yer HMI to the public Internexus, I don’t think there should be much excuse for getting your plant compromised by anyone who can run a freely-available exploit tool (let alone by someone trying an unchanged default password!).

As a final note, and a point I’ve made before, to what extent should taxpayers be subsidizing incident response when then victim “failed to heed the warning signs”?

Head start on patching Honeywell vulns

So, back in November, Russian researchers dropped a load of ICS vulnerabilities. 25 in all. Honeywell seems to keep a pretty tight lip on the details. Maybe Positive Technologies, who discovered them, will shed more light on what’s really going on here.

PT honeywell

At any rate, looking through what details are public, Critical Intelligence realized that Honeywell reportedly released a patch for the vulnerabilities as far back of June 2014.

Well, in case you didn’t know, one of the other awesome things that Critical intelligence does is monitor for patches and new product releases for control systems software.

And guess what? Critical Intelligence included information about those patches in its June 5, 2014 report. So, if you had been subscribed to the Core ICS Intelligence service, and were running Honeywell Experion, you would have known about the availability of these patches six months ago. I think that’s pretty cool. What other group/firm has done that for its customers for five years?

Black Energy and ICS

Monday I had the opportunity of briefing on the SANS ICS Threat Briefing webinar. This was the inaugural SANS ICS Webinar on a “current” threat.

For me the highlight of the briefing was the following graphic.

Timeline

Over the past several years, numerous warnings given by Critical Intelligence would have helped affected asset owners avoid infection by “Black Energy/Sandworm”.

In short, if you waited for the federal government to tell you about it (on October 29, 2014), you were only two and half years late.

To listen to the whole archived Webinar, register here.

To get this type of forewarning for your ICS environment, request a sales call with Critical Intelligence.