1 Advisory and 1 Update Published – 4-26-22
Today CISA’s NCCIC-ICS published a control systems security advisory for products from Hitachi Energy and updated an advisory for products from Mitsubishi Electric. Additionally, CISA revised the landing page for their Industrial Control System web site, including moving their announcements of new advisories to a similarly revised ICS Advisories web page.
Hitachi Energy Advisory
This advisory describes seven vulnerabilities in the Hitachi Energy System Data Manager – SDM600. These are third-party vulnerabilities. Hitachi Energy has a new version that mitigates the vulnerabilities.
The seven reported vulnerabilities are:
Observable discrepancy - CVE-2020-1968 (OpenSSL),
Uncontrolled recursion - CVE-2020-12243 (OpenLDAP),
Reachable assertion (3) - CVE-2020-25709 (OpenLDAP), CVE-2020-25710 (OpenLDAP), and CVE-2020-36230 (OpenLDAP),
Type confusion - CVE-2020-36229 (OpenLDAP), and
Integer overflow or wrap around - CVE-2021-23840 (OpenSSL)
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to eavesdrop on traffic or to cause a denial-of-service condition.
NOTE: I briefly reported these vulnerabilities on December 25, 2021.
Mitsubishi Update
This update provides additional information on an advisory that was originally published on November 30th, 2021 and most recently updated on January 27th, 2022. The new information includes adding fixes for Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS, MR-MQ100, Q172/173DCPU-S1, and Q170MCPU modules.
New Web Site
The new landing page is a complete rewrite, along with a new URL (https://www.cisa.gov/ics; the old URL redirects). It starts off with the new header: “CISA’S ROLE IN INDUSTRIAL CONTROL SYSTEMS”. Then it goes on to list four ‘core priorities’ and three goals. Finally, it provides links to four other areas of interest to the ICS community:
Report a Vulnerability,
Industrial Control Systems Joint Working Group (ICSJWG), and
The ‘Report a Vulnerability’ link takes you to the CMU Software Engineering Institute’s Vulnerability Information and Coordination Environment (VINCE) page for reporting vulnerabilities. This is the reporting page that has been used by CERT-CC and typically has resulted in the well-known VU#s issued by CERT-CC. It is not yet clear if the information shared with CERT-CC via this page will be primarily addressed in advisories published by NCCIC-ICS or advisories published by CERT-CC. The link from the CISA page does automatically check the “Significant ICS/OT impact?” box a third of the way down the page, so that may bifurcate the vulnerability reporting and coordinating responsibilities. Or CISA may just be contracting those responsibilities to CERT-CC. It is too early to tell, and this new landing page is not explaining much.
What is specifically missing here is a working definition of what CISA is going to consider to be ‘Industrial Control Systems’ going forward. Advisories that have been published under this heading have included such non-industrial systems as medical devices, vehicles, IP cameras, building control systems, fire safety systems and security systems.