<< Note – I edited one paragraph after further thought and uncertainty of the exact time this was released. My change log says Friday, the date says Thursday. Apologies if the Friday comments are in error, but this is a big impact vuln that is being treated like any freeware HMI vuln.>>
It’s an old political and business trick to release bad news late on Friday when most people are shifting to weekend mode. This practice has now moved to the ICS world. ICS-CERT released an OSIsoft PI OPC DA Interface Buffer Overflow Advisory. The buffer overflow could allow a medium skilled authenticated attacker to remotely execute arbitrary code (run his own attack software) on the PI OPC Interface.
This is big. The PI Server is by far the most popular historian, particularly in the energy sector but also in manufacturing, water, … The PI OPC Interface is by far the most popular interface, or way of getting data into a PI Server. Owner/operators typically run OPC PI interfaces to get the data from their control system that supports OPC to the PI Server. OPC is like a universal translator in control systems, and OSIsoft encouraged customers to use it as the first choice in getting data into PI. We see PI Servers in more than 80% of our assessments, and the interface used to get data into the PI server is more often than not OPC.
The Good News
This vulnerability was identified in a DHS funded assessment of the PI Server. OSIsoft has sung the praises of the Idaho National Lab (INL) assessments of their product, and this is probably one of the reasons why.
OSIsoft was not required to either fix or disclose the vulnerability, but they chose to do both. We have harped on the fact that vulnerability handling of these taxpayer funded assessments are solely at the vendor’s discretion. They can hide them and do nothing (think S7/Stuxnet); they can silent fix and not announce the problem or reason to upgrade or patch; or they can disclose the problem. There were likely some interesting discussions about OSIsoft about fixing the problem, but not disclosing there was a vulnerability. The silent fix is still very common for ICS vulnerabilities that are discovered under NDA. They didn’t take that path and deserve credit.
(Full Disclosure – OSIsoft has contributed to Digital Bond’s Bandolier and Portaledge projects and sponsored S4 in past years)
The Bad News
Why did ICS-CERT bury this disclosure late on a Friday afternoon. It’s not as if this was a surprise to DHS since they found it and are working with OSIsoft.
UPDATED Paragraph: Why is ICS-CERT not highlighting this issue more? One of the reasons for ICS-CERT’s existence is that US-CERT lacked the ICS experience. Shouldn’t this vulnerability that affects large amounts of the critical infrastructure get a bit more push and attention? I’m unsure if this came out on Friday or late Thursday, but it barely registered a blip in the community.
A check of OSIsoft’s technical support site (login requires) shows they announced it on July 11th. The OSIsoft announcement is buried in a technical support bulletin. There was a briefing on the INL findings at the last user conference, but I was not at that event and am uncertain if this vulnerability was announced.
OSIsoft should do a much better job of informing customers about this vulnerability, shouldn’t their be a link on the home page saying Important Security Update to OPC Interface? After all, it is a vulnerability that can be remotely exploited in their most popular interface.
Image by roger4336