The Billy Rios / Terry McCorkle article about the vulnerability handling of Tridium and ICS-CERT is a must read. I started to pull quotes from it and found I wanted to include almost everything. It’s clear that Tridium was unresponsive not only to Rios/McCorkle report of the vulnerability on January 30th, but also to a Pentagon customer in 2011. Billy and Terry write:
We don’t understand Tridium’s claims that, “The firm also is doing more to train customers about security” when the root cause of these issues is poor design and coding practices from Tridium itself. Maybe Tridium should invest in training their developers about security first.
There are some equally tough words for ICS-CERT and the US Government. While giving ICS-CERT credit for diligent coordination. They wonder out loud why the priority seems to be protecting the vendor reputation.
However, when a vendor is unresponsive or refuses to accept responsibility for an issue, ICS-CERT should have the authority to inform those customers who are vulnerable in a timely manner. DHS and ICS-CERT work for us, the American people… they do not work for the PR departments of ICS companies. ICS-CERT should be able to take the appropriate actions to ensure that we’re safe and to ensure ICS customers have the right information to mitigate and control risk. The PR damage done to any individual company should never be part of this equation.
Amen. We have seen this repeatedly with Siemens and other vendors driving the what and when of the bulletin unless some “irresponsible” researcher discloses the problem. From a personal standpoint, we are still waiting for the US Government to tell owner/operators their PLC’s are insecure and need to be replaced or upgraded.
The Rios/McCorkle article came out prior to the ICS-CERT Alert, but I want to focus on the flailing in this alert.
What would an owner/operator be looking for from an alert? A clear understanding of what the vulnerability is and how it can be addressed. This and many other ICS-CERT alerts fail badly on this criteria when you consider the ICS owner/operator audience that ICS-CERT is speaking to. The two most vivid examples in this alert are:
1. Lack of clarity on the vulnerability
The vulnerability is written for a security professional and even a bit vague for that audience. The only ICS-CERT text describing the vulnerability is:
Independent security researchers Billy Rios and Terry McCorkle notified ICS-CERT of a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework a software. According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server.
Why not try keep it simple such as:
If an attacker is able to login to the Tridium Niagara AX Server with any account he can perform a directory traversal attack and download a file with all user account names and passwords. The Niagara installation automatically installs a guest with no password and a demo account with default password that can be easily found in an Internet search. If these accounts are not disabled, or if an attacker has recovered another set of account credentials, then the system can be completely compromised. The attacker would recover the account name and password for an administrator and use these credentials to attack the system.
I’d like to see one more sentence indicating the bad things an administrator can do to really drive the point home. ICS-CERT should not be coy about the impact of a vulnerability. The bulletin could add something about the protection of the credentials being weak, but that doesn’t really matter to the owner/operator.
2. Fuzzy Mitigations
The ICS-CERT Alerts and Advisories consistently include good security practice information in the mitigation section. While this is useful information, it doesn’t belong here where a customer is trying to figure out how to address the problem. How is using DHS’s CSET tool going to help with this problem? The firewall and VPN advice is classic don’t let the bad guys get to the vulnerable product advice. It represents a third of the Alert and distracts from the critical information.
Perhaps the biggest problem is the Tridium mitigation advice. It’s actually good advice, but since the vulnerability was never explained properly to the target audience, they may not realize that preventing the bad guys from logging in with any account is the key to preventing this attack until Tridium fixes the actual vulnerabilities. The Tridium advice sounds like good practice security advice, but so is the ICS-CERT advice that follows. The difference is the disabling Guest and Demo users is essential.
The Alert should be very blatant in the mitigation section. It should lead with some straightforward sentences such as:
The Directory Traversal vulnerability is still present in the Niagara software and can be exploited by anyone who can login to the Niagara web interface. The most essential step to prevent this attack is to disable the Guest and Demo users. Niagara software users should also take the following steps to make it more difficult for an attacker to login to the Niagara web interface …
ICS-CERT action is so consistently bad that a number of people I respect in the community have told me to stop bothering with ICS-CERT. They say ICS-CERT is worthless and a distraction. This is regrettable because ICS-CERT and DHS still are the best opportunity in the US to get ICS security information out to owner operators, and they have the biggest bully pulpit to instigate a change in culture and attitude.
Image by Asiatic League