Mitsubishi advises isolation as mitigation
Countermeasures per some of the latest Misubishi vulnerability bulletins include ensuring isolation / firewalling whilst fixes are being developed.
Exposed Healthcare Transport Tubing
Transport Tubing used in more than 3000 hospitals to deliver medicines and blood samples exposed due to hard-coded passwords, unencrypted connections and unauthenticated firmware updates.
CISA ICS Ransomware Factsheet
US CISA issues ICS ransomware factsheet. Recommendations include:
Prepare:
- ID critical processes & equipment
- Develop and test response plan
- Ensure adequate backups in place
Mitigate:
- Practice cyber hygiene (patching, whitelisting, user management, MFA etc)
- Network segmentation
- Vigilent network monitoring
Respond:
- Isolate impacted systems
- Power down where isolation is not possible
- Triage and restore impacted systems
- Obtain specialist third party assistance
- Take a forensic image
- Obtain decryptors via legal routes
Rockwell ISaGRAF5 Runtime Funtime
A string of vulnerabilities in this runtime allows remote execution with low complexity.
Vendor recommendations include: users:
- apply patches
- restrict or block access on TCP 1131 and TCP 1132
- limit user/service account access to Runtime’s folder
Codesys remote execution vulnerabilities
Codesys automation software gets 10 out of 10 severity rating for 6 new vulnerabilities:
- CVE-2021-30189 – Stack-based Buffer Overflow
- CVE-2021-30190 – Improper Access Control
- CVE-2021-30191 – Buffer Copy without Checking Size of Input
- CVE-2021-30192 – Improperly Implemented Security Check
- CVE-2021-30193 – Out-of-bounds Write
- CVE-2021-30194 – Out-of-bounds Read
Siemens S7 critical vulnerabilities
Siemens has released patches / workarounds for critical memory protection bypass vulnerabilities in S7-1200 and S7-1500 products.
Vendor recommended mitigations as follows:
- Password protect S7 comms
- Disallow client connections
- Restrict access from the S7-1500 display
- Apply physical security, network zoning etc.
- Update to TIA v17 and enable TLS
Major US East Coast Pipeline suffers Cyber attack
Ransomware effects spilling over into the real world.
A press release from Colonial Pipeline: “On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware… In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems”
NSA: How to stop Malicious Cyber Activity
NSA issued Advisory: Guidance to Stop Malicious Cyber Activity Against Connected Operational Technology
“While there are very real needs for connectivity and automating processes, operational technologies and control systems are inherently at risk when connected to enterprise IT systems”
In essence, recommendation are as follows:
- Manage, encrypt and authenticate all remote access connections
- Add sensors and actively monitor all remote connections. Disconnect remote access until this is in place!
- Create an OT map, validate unknown assets and create baseline configurations
- Create a known OT communication baseline
- Create short, medium and long term improvement plans
- Maintain offline “gold copy” baselines for OT networks and devices to enable recovery from a known good source.
PDF available here.
Ethernet/IP vulnerabilities in EIPStackGroup OpENer
OpENer is an EtherNet/IP stack for I/O adapter devices, frequently embedded into control systems.
Various Denial of Service and Remote Code Execution vulnerabilities have been disclosed for this ENIP implementation.
Patches are available which can be incorporated into internally developed systems, however vendors may take some time to cover components relying on this stack.
US CISA recommends the following mitigations:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
Splice provides all above mitigations as well as vulnerability shielding and behavioural profiling.
Critical authentication bypass flaw across multiple Rockwell Logix products
US CISA released an advisory for easy to exploit, remote authentication bypass (with a CVSS score of 10) for multiple Rockwell Logix controllers. No patches seem to be forthcoming. Rockwell recommends mitigations in the form of configuration hardening and isolation.