GE Fanuc HMI vulnerability disclosure and industry response

The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory:  “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…” 


I had this specific vulnerability demonstrated to me and it was obvious this was not a trivial problem. The GE Fanuc HMI is not widely deployed in electric control centers or substations which are NERC’s traditional venues but is widely deployed in power plants and other industrial facilities. Consequently, it is not clear the risk to grid reliability is low.  In addition, this is not the only GE Fanuc cyber vulnerability. 


I did have a chance to discuss this and other disclosure issues with Mike Assante, NERC VP and Chief Security Officer. Among other issues, Mike is in the process of restructuring how NERC issues vulnerability notices.  I believe the new process can help. As mentioned, NERC Advisories are not always treated as critical activities. This was vividly demonstrated with the Aurora and Boreas Advisories that have been pretty much ignored by industry. The GE Fanuc case is even more tenuous as the Advisory designates the vulnerability as a low risk. Will the utilities begin to take these advisories seriously or is more regulation needed?  Without meaning to sound like a broken record, this another example of the need for a CERT for Control Systems. 


Joe Weiss