GE Fanuc HMI vulnerability disclosure and industry response

Nov. 13, 2008

The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory: “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…”

The GE Fanuc/Proficy Information Portal Remote Code Execution Vulnerability has been identified via US CERT Vulnerability Note VU#339345 and issued November 7th as a NERC ES-ISAC Advisory:  “…The NERC ES-ISAC estimates that the risk to grid reliability from this vulnerability is LOW based on the limited deployment of the vulnerable technology…The NERC Advisory contains useful information regarding the affected product. Please forward to technical SMEs within your organization as required to assess and remediate the potential impact of exploit outlined this Advisory… NERC Advisories are not the same as a reliability standard, and your organization will not be subject to penalties for a failure to address this Advisory…”

I had this specific vulnerability demonstrated to me and it was obvious this was not a trivial problem. The GE Fanuc HMI is not widely deployed in electric control centers or substations which are NERC’s traditional venues but is widely deployed in power plants and other industrial facilities. Consequently, it is not clear the risk to grid reliability is low.  In addition, this is not the only GE Fanuc cyber vulnerability.

I did have a chance to discuss this and other disclosure issues with Mike Assante, NERC VP and Chief Security Officer. Among other issues, Mike is in the process of restructuring how NERC issues vulnerability notices.  I believe the new process can help. As mentioned, NERC Advisories are not always treated as critical activities. This was vividly demonstrated with the Aurora and Boreas Advisories that have been pretty much ignored by industry. The GE Fanuc case is even more tenuous as the Advisory designates the vulnerability as a low risk. Will the utilities begin to take these advisories seriously or is more regulation needed?  Without meaning to sound like a broken record, this another example of the need for a CERT for Control Systems.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Why should American-Made Products be a top priority?

Within this white paper, Shalabh “Shalli” Kumar, founder of AVG Advanced Technologies, stresses the importance of prioritizing American-made products to safeguard the country'...