Feds, Vendors Warn Meltdown, Spectre Could Hit Industrial Controls Systems
Even though this was to be expected, it’s still unnerving to see it in a federal government warning: The Meltdown and Spectre processor bogies could extend to industrial controls systems, as in critical infrastructure asset owners and operators, according to an NCCIC/ICS-CERT bulletin.
(Side note: NCCIC/ICS-CERT is an acronym for the National Cybersecurity and Communications Integration Center, Industrial Control Systems Cyber Emergency Response Team. NCCIC is a wing of the Department of Homeland Security’s Office of Cybersecurity and Communications.)
What all those acronyms really mean is these are not agencies that precipitously overreact. The feds’ cyber specialists are referring to Meltdown and Spectre as ‘side-channel’ attacks because they spring from a hardware vulnerability not a software bug, which can make them all the more dangerous to critical infrastructure systems.
The alert itself, referencing an earlier bulletin on the vulnerability of CPU hardware to side-channel attacks, has two purposes: 1) To make critical infrastructure asset owners and operators aware of the threats, and 2) Identify affected product vendors that have contracted ICS-CERT to help spread the word to their customers. Both of those actions, the agency hopes, will help quell the risk associated with Meltdown and Spectre, figuring forewarned is forearmed.
The bulletin specifically pointed to four vendors –ABB, Becton, Dickinson, Rockwell, and Siemens, all of which had already contacted ICS-CERT to help them notify their customers of the threat and offer on-the-fly recommendations on how to mitigate the risk.
Here’s what three of the vendors had to say (Rockwell’s site is gated):
ABB: We are still investigating the affected ABB products. However, all ABB products that run on affected processors are potentially affected. The vulnerabilities do not target any ABB products specifically, but potentially affect products that use affected processors in general. ABB also counseled its customers to make certain that networks used for Industrial Control Systems [are] segregated from enterprise and/or public networks.
Benton, Dickinson: BD has assessed these vulnerabilities and identified the risk to have a low-impact. Any attack would require local or physical access, the difficulty in exploiting these vulnerabilities is high and the vulnerabilities do not have the potential to corrupt, modify, or delete data.
Siemens: Vendors of processors, operating systems, and other applications are releasing updates that help to mitigate these vulnerabilities. Siemens is analyzing the impact of these vulnerabilities on its own products.
ICS-CERT also provides a control systems recommended practices page on the ICS-CERT web site.