Siemens has released more security patches to protect industrial systems -- including chemical plants, dams and transportation systems -- from the DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability, according to a Department of Homeland Security Advisory update revised on June 15, 2017.
The updated reinforces the tricky time industrial IT professionals and managed security services providers (MSSPs) can have safeguarding truly mission critical infrastructure from hackers and cyber threats.
The new Siemens advisory builds upon an earlier alert from April 2016. If left unpatched, an attacker in a privileged network position can use the DROWN vulnerability to intercept transport layer security sessions, today's advisory stated.
Potential DROWN Vulnerability Targets
According to Siemens, potential target devices are deployed across most sectors including Chemical, Communications, Critical Manufacturing, Dams, Defense Industrial Base, Energy, Food and Agriculture, Government Facilities, Transportation Systems, and Water and Wastewater Systems. Moreover, the products are used worldwide.
In addition to the Siemens update, ICS-CERT recommends that users take at least three defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
U.S. Utilities, Electric Grid At Risk?
The U.S.-based electric grid and utilities across the country have faced multiple alerts this month.
Just last week the U.S. Department of Homeland Security issued a CrashOverride malware warning to electric utilities and power grid operators.
The warning, from the Computer Emergency Readiness Team’s (CERT’s) National Cybersecurity and Communications Integration Center (NCCIC), mentions public reports from ESET and Dragos that outline “a new highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine.”
N-Dimension Solutions, an MSSP that supports more than 100 utilities, has taken steps to combat potential CrashOverride threats and also recommends these safe practices for customers.