GE Fanuc HMI vulnerability disclosure and industry response

    Nov. 13, 2008
    
The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory:  “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…” 

    
The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory:  “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…” 

    

    
I had this specific vulnerability demonstrated to me and it was obvious this was not a trivial problem. The GE Fanuc HMI is not widely deployed in electric control centers or substations which are NERC’s traditional venues but is widely deployed in power plants and other industrial facilities. Consequently, it is not clear the risk to grid reliability is low.  In addition, this is not the only GE Fanuc cyber vulnerability. 

    

    
I did have a chance to discuss this and other disclosure issues with Mike Assante, NERC VP and Chief Security Officer. Among other issues, Mike is in the process of restructuring how NERC issues vulnerability notices.  I believe the new process can help. As mentioned, NERC Advisories are not always treated as critical activities. This was vividly demonstrated with the Aurora and Boreas Advisories that have been pretty much ignored by industry. The GE Fanuc case is even more tenuous as the Advisory designates the vulnerability as a low risk. Will the utilities begin to take these advisories seriously or is more regulation needed?  Without meaning to sound like a broken record, this another example of the need for a CERT for Control Systems. 

    

    
Joe Weiss

    Continue Reading

    Sponsored Recommendations

    Municipalities are utilizing inline total solids measurements to enhance sludge thickening, lower polymer usage and cut operational expenses.
    Carbon dioxide is increasingly recognized as a vital resource with significant economic potential. While the conversion of carbon dioxide into products is still in its infancy...
    Discover our wide range of temperature transmitters that convert sensor signals from RTDs and thermocouples into stable and standardized output signals!
    An innovative amine absorption-based carbon capture process enables retrofitting of existing industrial facilities to reduce emissions in hard-to-abate sectors, with advanced ...

    Latest from Home

    Businessman in recruitment concept with horseshoe magnet
    Source: MxD
    Figure 1: Steady streams of students and other visitors take in the digital and cybersecurity demonstrations at Manufacturing times Digital (MxD) institute, which provides participants with programs in digitalized tools, cybersecurity and workforce expertise.
    Two petrochemical workers inspecting pressure valves on a fuel tank

    Most Read

    Sponsored