GE Fanuc HMI vulnerability disclosure and industry response

The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory:  “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…”

I had this specific vulnerability demonstrated to me and it was obvious this was not a trivial problem. The GE Fanuc HMI is not widely deployed in electric control centers or substations which are NERC’s traditional venues but is widely deployed in power plants and other industrial facilities. Consequently, it is not clear the risk to grid reliability is low.  In addition, this is not the only GE Fanuc cyber vulnerability.

I did have a chance to discuss this and other disclosure issues with Mike Assante, NERC VP and Chief Security Officer. Among other issues, Mike is in the process of restructuring how NERC issues vulnerability notices.  I believe the new process can help. As mentioned, NERC Advisories are not always treated as critical activities. This was vividly demonstrated with the Aurora and Boreas Advisories that have been pretty much ignored by industry. The GE Fanuc case is even more tenuous as the Advisory designates the vulnerability as a low risk. Will the utilities begin to take these advisories seriously or is more regulation needed?  Without meaning to sound like a broken record, this another example of the need for a CERT for Control Systems.

Joe Weiss

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.

Comments

  • <p> The problem with those advisories is that they are not made public, even after a suitable "private" period. It's common knowledge that security through obscurity does not work, and the best way to deal with vulnerabilities is to make them widely known*. </p> <p> For the Aurora vulnerability, chances are many people in the control system field have heard of it but know no specifics at all about it, because it has not been made public. </p> <p> * after a suitable period to allow people a chance to fix them, say 60 days </p> <p>   </p>

    Reply

RSS feed for comments on this page | RSS feed for all comments