Abstract:
Industrial systems cyber vulnerability advisories repositories 2016: The main contributors are security companies and independent researchers. The system’s creators are third.
———
Detail:
On November 21st Siemens Product CERT (and a day later the US ICS-CERT) published a security advisory on vulnerabilities affecting Siemens industrial control system products ( ICS-CERT advisory ICSA-16-327-02).
Our team, in cooperation with project partner Inverse Path, had discovered the vulnerabilities a while ago and publicly disclosed it in coordination with Siemens.
The context of the discovery of those vulnerabilities was actually a Smart Tools cyber security project of ours.
The project’s objectives:
- identifying potential new attack vectors introduced by Smart Tools (such as subtle manipulation of the tool’s programming by attackers – and how this impacts/changes the cyber attack surface of our production) and
- assessing how existing controls and safeguards cope with that change or what new/additional countermeasures are needed.
The technical Smart Tool test work packages finished ahead of time and cost (yes, such thing actually IS possible … ) and we used the already allocated resources at hand (and our inexhaustible enthusiasm) to engage in a little side project: an excursion in the world of vulnerability research on industrial controllers we knew were used in manufacturing engineering projects by the business.
Cyber vulnerability research is not part of the usual cyber vulnerability management process (identification, classification, remediation/mitigation) used by end-user organisations. For end-user organisations ‘identification’ in practical application means: identification of known vulnerabilities.
Vulnerability research, however, aims at discovering the yet unknown vulnerabilities.
As of today, (industrial) systems/software cyber vulnerability research usually is primarily the domain of cyber security solution/service companies and independent researchers.
Lets have a quick look at the reporting sources of the 2016 advisories of the US ICS-CERT:
industrial-systems-cyber-vulnerability-reserach-2016
This observation, however, is not a surprise, really.
Cyber vulnerability research – industrial systems cyber vulnerabilities research in particular – requires special (yet rare) skills and tools (in other words: it is expensive).
It is also an important prerequisite for products/services portfolio development of (industrial) cyber security solutions/services providers – and quite often its actually a product/service by itself.
When time allows (X-mas holidays are upcoming) I”ll extend the observation window even more back in time – to check the trends over the last years.
Looking forward into the future, however, ideally we should see more and more the (industrial automation) vendors themselves leading the vulnerability research on their products as part of the product’s cyber security quality assurance, shouldn’t we ?
That said I am looking forward to update this post from time to time with more information on the trend of industrial system’s vulnerability research sources observable at the ICS-CERT and others.
key words: ICS Security, vulnerability management, product cyber quality, ICS-CERT, Siemens product cert
references:
Siemens Security Advisory by Siemens ProductCERT: http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-603476.pdf
Advisory (ICSA-16-327-02) Siemens SIMATIC CP 343-1/CP 443-1 Modules and SIMATIC S7-300/S7-400 CPUs Vulnerabilities: https://ics-cert.us-cert.gov/advisories/ICSA-16-327-02
NIST Security Automation and Vulnerability Management: http://csrc.nist.gov/projects/secauto.html
RealLifeISM 
Posted on December 4, 2016 by Heiko Herrmann
0