The document discusses an analysis of nearly 900 public industrial control system (ICS) vulnerabilities, highlighting the need for improved communication and analytical expertise in addressing these vulnerabilities. It provides examples of vulnerabilities found in products from major vendors like Schneider Electric and Rockwell Automation, stressing the importance of proper disclosure and context from researchers. Key lessons include the necessity of unique identifiers for vulnerabilities, the critical role of trust in customer relationships, and the need for comprehensive analysis and proofreading.

1. At Least Pretend
You Care:!
!
Writing ICS
Vulnerability
Analysis!
Sean McBride!
S4 2014!

2. Will you be my BFF?!

3. We need Analysts
– Badly!

4. Disclaimer!
• Conducted analysis of nearly 900 public ICS-
specific vulnerabilities!
– Constantly updating analytical approach and
template!
• Examples are only representative of issues!
• If you don’t get named, it doesn’t mean you
don’t need to improve!
!

5. What we are
dealing with!
Vulnerabilities
Discovered Vulns
Disclosed
Public

6. CI total counts by
Quarter!

7. By Repository!

9. Leading Vendors!
Vendor! Vulns! Patches! Patch %! Exploits!
Siemens! 99! 73! 73%! 16!
Rockwell! 49! 27! 55%! 5!
Schneider! 44! 20! 45%! 11!
ICONICS! 30! 25! 83%! 17!
RuggedCom! 25! 24! 96%! 2!
GE IP! 25! 18! 72%! 4!
Based on empirical evidence.

10. To whom are you telling
what, when, why?!
Disclosed
Owner/Operators
- ICS engineers
- ICS compliance personnel
- ICS security analysts
- IT security analysts
Engineer/Integration firms
- Integrators
- Support/maintenance
Media
- Reporters
- Bloggers
Security Industry
- Intelligence firms
- ISACs
- Gov agencies
Potential Adversaries
- Activists/hactivists
- Malicious insiders
- Nation states
Focus
Public

11. Golden Question!
• How could that vulnerability affect the
controlled process?!
• We can’t get that answer "
without:!
– Analytical expertise "
(IT, Infosec & ICS fields)!
– Accurate, reliable, "
consistent "
communications!

12. Example 1!
Sep. 2013!
Schneider Electric was notified and is responding to a
vulnerability in the MiCOM S1 Studio Software
product. This software utility is used to configure and
maintain electronic protective relays.!
!
Schneider Electric has released a new version of
MiCOM S1 Studio SW, V4.0.1, to address some of
these vulnerabilities.!

13. Example 1!
(same advisory)!
During install, Read/Write access by any user is permitted to MiCOM S1
Studio executables in the Program Files directory. This condition persists after
installation. As a result of this access, the configuration files and the Windows
service used by the program can be manipulated or modified by any user with
local computer access.!
!
Schneider Electric has released a new version of MiCOM S1 Studio SW,
V4.0.1, to address some of these vulnerabilities. The installation routine of
MiCOM 1 Studio V4.0.1 provides digital signature to all files related to the
use of MiCOM S1 Studio: Digital signature indicates [to] operating systems
and user that the libraries/executables are from Schneider Electric (Trusted
source).!

14. Example 2!
Apr. 2013!
537599 - FactoryTalk Diagnostics and RSLinx Enterprise Software
Vulnerability!
!
Rockwell Automation was notified through ICS-CERT that Carsten
Eiram from the security firm, Risk Based Security identified
vulnerabilities that affect a software component of the FactoryTalk
Service Platform (RNADiagnostics.dll) and two software components
of RSLinx Enterprise software (LogReceiver.exe and Logger.dll).!
!
!

15. Example 2 !
(Same advisory)!
• A specially crafted packet sent to TCP port 5241 will result in"
a crash of the RsvcHost.exe service. A successful attack will result in
the following:!
– Denial of Service (DoS) condition that prevents subsequent processing
of connections on UDP port 4445.!
– Crash condition that disrupts further execution of the
RNADiagnostics.dll or RNADiagReceiver.exe diagnostic service.!
• When successfully exploited, the vulnerability will cause the thread
receiving data to exit, resulting in the service silently ignoring
further incoming requests. A successful attack will result in two
respective conditions:!
– Denial of Service (DoS) condition that prevents subsequent processing
of connections on UDP port 4444.!
– Crash condition that disrupts further execution of the LogReceiver.exe!
!

16. • ICSA-13-095-02, issued April 5, 2013: !
– CVE-2012-4695!
– CVE-2012-4713!
– CVE-2012-4714!
– CVE-2012-4715!
!

17. INTEGER OVERFLOW–NEGATIVE INTEGER (CVE-2012-4713)!
The FactoryTalk Services Platform (RNADiagnostics.dll) does not
validate input correctly and cannot allocate a negative integer. By
sending a negative integer input to the service over Port 4445/UDP…!
INTEGER OVERFLOW–OVERSIZED INTEGER (CVE-2012-4714) …!
IMPROPER EXCEPTION HANDLING (CVE-2012-4695)…!
OUT-OF-BOUNDS READ (CVE-2013-2805)…!
INTEGER OVERFLOW (CVE-2013-2807)…!
INTEGER OVERFLOW (CVE-2013-2806)…!
!

18. • What about CVE-2012-4715??!
• Apparently it was a repeat of CVE-2012-4695!
• How did that happen?!
!

19. More Analysis!
• Reveals more problems!

20. Lessons !
• Don’t be tricky – customer relationships are
about TRUST!
• As much as possible: 1 advisory for 1
vulnerability!
• Each vulnerability needs a unique identifier!
• Specify what patch corresponds to what vuln!
– One patch can still fix many vulns!
!

21. kudos!

22. Bug finders!
!
!
!
!
!
• Limited experience with deployed ICS!
• Downloaded free software/got access to this
device…!
• Did XYZ to it… It crashed…!
Researcher! Number disclosed!
Luigi Auriemma*! 130!
GLEG*! 47!
Positive Technologies! 36!
Rios & McCorkle! 34!
Kuang-Chun Hung! 28!
* own-terms disclosure

23. Example 3!
From Luigi Auriemma (2010)!
"RealWin is a SCADA server package for medium /
small applications."!
The service of the server running on port 912 is
vulnerable to a stack based buffer-overflow caused by
the usage of sprintf() for building a particular string
with the data supplied by the attacker!
!

24. Example 4!
From Blake, posted to Exploit DB (September 2013)!
<title>Mitsubishi MC-WorkX Suite Insecure ActiveX Control
(IcoLaunch)</title> <p>This proof of concept will launch an
arbritrary executable when the Login Client button is clicked. An
attacker could use this to have the victim launch malicious code
from a remote share.!

25. Lessons !
• Researchers don’t offer much ICS context!
– Working with Critical Intelligence or ICS-CERT, or
other analytical organization might provide this !
– Working with experienced ICS professionals can
provide this!
• Researchers can give great technical detail!
– Tech detail may be stripped from coordinated
disclosures!
– Critical Intelligence calls/emails researchers all the
time for more info!
!

26. Example 5!
!
!
• Four vulns disclosed by Arthur Gervais at S4 2013!
• ICS-CERT (March) update: “Two of the vulnerabilities initially
reported have been determined not to be valid”!
• By whom? Not Arthur!!

27. Buy or Borrow?!
• ICS-CERT!
– 3 of 6 “missions” deal with vulnerabilities!
– Alerts/advisories from 91 vendors!
– 82 vendors do not write their own!
!

28. Good on them!
• Handled 100s of vuln disclosures!
• Provide some context!
• Reliance on CWE!
• Responsive to inquiries !
• Moved to a Web format instead of PDF – way easier!!
!

29. Timing!
• HSIN!
– ICS-CERT compartment!
– US citizen ICS "
owner/operators "
with “need to know”!
– Early notice on certain "
advisories!

30. Example 6!

31. Example 7!
January 2014 Advisory!
Affected Products!
-------------------!
The following [Vendor] versions are affected:!
• All versions released prior to December 1, 2013, !
• [Vendor Product Number] (Firmware from 2010), and !
• [Vendor Product Number] (Latest Firmware).!
!
!

32. Example 8!
ICSA-13-219-01 (August 2013)!
The RTAC master device can be sent into an infinite loop by
sending a specially crafted TCP packet from the master station on
an IP-based network!
!
CVE-2013-2792: IP-based version!
CVE-2013-2798: Serial version!
!
Missing ICS understanding…!

33. Lessons!
• Give a balanced voice between researcher/
vendor!
• Rethink ICS-CERT HSIN compartment!
• Error on the side of too much detail rather
than too little (not asking for poc/exploit)!
• Have someone proof read/sanity check!
!

34. Summary!
1. At least pretend you care!!
2. Who you gonna tell what, when and why?!
3. Create, validate, use a template!
4. Hire someone who knows and cares about
security (and ICS) and make them responsible!
5. Conduct analysis!!
6. Proof read/sanity check!

35. Will you be my BFF?!

36. Image Credits!
• Slide 1: PikiWiki Israel 10402 Environment of Israel.JPG; ‫אורי‬ ‫דניאל‬ ; Creative
Commons Attribution 2.5 Generic license; http://commons.wikimedia.org/wiki/
File:PikiWiki_Israel_10402_Environment_of_Israel.JPG!
• Slide 11: Panning; Murdoch, George G.; http://commons.wikimedia.org/wiki/
File:Panning2.jpg!
• Slide 29: One Canada Square, Canary Wharf; Garry Knight; Creative Commons
Attribution-Share Alike 2.0 Generic; http://commons.wikimedia.org/wiki/
File:One_Canada_Square,_Canary_Wharf.jpg!