Weekend Must-Read: ICSs May Not Be Safe from Heartbleed after All

April 12, 2014

Just because you've changed your Facebook and Dropbox passwords (you have, haven't you?) doesn't mean you can forget about Heartbleed. According to the Christian Science Monitor's Saturday edition, "Unconfirmed reports that Heartbleed has already been used to attack encrypted communications systems of US industrial control systems are being investigated, the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced in an alert Friday." 

Just how vulnerable industrial systems are is still unclear. 

Industrial firewall-maker Innominate Security Technologies AG of Berlin on Friday informed its customers in an e-mail that some of its firmware products used in industrial firewall systems were vulnerable to Heartbleed attacks. Innominate’s industrial firmware is used by several US industrial cybersecurity companies, but it may not be too widespread, some cybersecurity experts said. A snapshot of potentially affected Innominate-related equipment using the SHODAN search engine, which indexes industrial control systems, revealed that 1,500 or so systems worldwide are affected, with just over 200 US systems.

Ralph Langner of Stuxnet fame says “The impact of the Heartbleed vulnerability on the cyber security of critical infrastructure (where it involves industrial control systems) is minimal,”

But don't relax says Robert Radvanovsky, a cybersecurity researcher and co-founder of Infracritical, a think tank focused on shoring up cyberweaknesses in critical infrastructure. “It’s still very unclear just what type of systems are vulnerable to Heartbleed, and there will be many other systems not listed by SHODAN,” he says. “Right now the numbers look small, but it would be a mistake to take it easy.”

The complete story is here.