Iccpsic Assessment Tool Set Released
After a fair amount of soul searching and delay, Digital Bond is finally releasing our iccpsic tool set to subscribers who are vetted asset owners.
This was a difficult decision because this tool set will crash vulnerable ICCP servers. It was what we developed and used to find a number of ICCP protocol implementation vulnerabilities, including some of those responsibly disclosed by US-CERT.
Here is why we are releasing it to subscribers who are vetted asset owners:
- The vulnerabilities disclosed by US-CERT have been properly addressed by the vendors who make the ICCP stacks, primarily SISCO and LiveData, but many vendors who integrate and resell SISCO and LiveData stacks under private label have not issued security bulletins notifying their customers of the need to patch or upgrade the ICCP server to address the vulnerability. This tool will allow the asset owner to identify if they have a vulnerable ICCP server irrespective of the ICCP vendor’s disclosure decision.
- Digital Bond has limited access to ICCP servers. We have tested versions of the more popular stacks, but new vulnerabilities could be introduced in future versions. It is not rare to see vulnerabilities reappear. There are many ICCP stacks with smaller distributions we have not tested and probably don’t know about. Asset owners can test the server they use and report any crashes/vulnerabilities to the vendor. We encourage and will support disclosing newly identified vulnerabilities to US-CERT.
- Not all vulnerabilities get disclosed by US-CERT. If the vendor does not patch the vulnerability, US-CERT typically will not issue a Vulnerability Note. In other cases, vulnerabilities are not disclosed to US-CERT based on NDA’s or other reasons. Asset owners can take matters into their own hands and test their ICCP server.
This was not an easy decision, but we feel selectively releasing these types of tools is critical to achieving our primary goal of assisting asset owners in securing control systems through information, tools and services.
In our web site redesign we envisioned releasing tools to vetted subscribers and built in the mechanism. We went through our list of subscribers and marked an initial set of asset owners as having vetted accounts. You will be able to download the iccpsic tool set and documentation from our Resources section after accepting the license terms.
For those subscribers who believe they warrant vetted status please send us an email and request vetted status.
Author: Dale Peterson
Posted: August 28th, 2007 under Assessment Tools, ICCP.
Comments: 6
Comments
Comment from Anonymous
Time: August 28, 2007, 3:06 pm
For obvious reasons, this must not have been an easy decision.
I hope it has the desired effect of enabling we asset owners to apply pressure on the asset vendors. There may be few of us who are interested in doing so to this level of detail, but certainly more than could have without the toolset and that may be just enough over time.
I suspect that the toolset will be transfered to other organizations that may or may not fit the vetted profile once it has been distributed. Personally, I don’t put much weight behind the “Your irresponsible for releasing the toolset” claims. Asset vendors and owners that refuse to mitigate the risks that such a toolset present are more irresponsible by orders of magnitude. Everyone is aware there is no magic pill to make these environments secure, but we all have to start pulling our weight somewhere - even if it’s just at the process LAN perimeter(s). Throwing our hands in the air because there is no COTS fix provided a breeding ground for the need to research the security posture of the industry to see what the real exposures are.
I applaud you for making the decision given that you may anger a portion of your existing or potential customer base.
Comment from Jake Brodsky
Time: August 29, 2007, 7:48 am
If the ICCP vulnerabiltiy were not public, I would probably be saying rude things about Digital Bond right now. However, for better or for worse, the ICCP stack vulnerability is public. Solutions are available. A test routine that crashes a vulnerable stack isn’t exactly good news to my ears, but I’ll admit that it was going to happen sooner or later.
I just wish there were some way to figure out the vulnerability without crashing anything.
Comment from Dale Peterson
Time: August 29, 2007, 9:18 am
Jake - The Nessus plugins look for the LiveData and SISCO vulnerabilities by checking the registry or file locations for the version number. They do not run the attack and will not crash the server. See:
http://www.nessus.org/plugins/index.php?view=single&id=23813
and
http://www.nessus.org/plugins/index.php?view=single&id=23815
These are likely, but not guaranteed, to identify those vulnerable stacks in third party ICCP servers. It all depends on the integration approach.
The tool serves a lot of purposes. Many asset owners wanted something to prove why it is really a problem to management or the vendor. A security bulletin is one thing. Showing a software utility crashing something in a matter of seconds is much more compelling. Especially in the case of ICCP where one compromised utility is connected via ICCP to many other utilities.
My guess is that the tool will identify other vulnerabilities in untested systems that Digital Bond will never see. It provides the asset owner with detail for the vendor to fix the problem.
As I said in the blog entry, the factor that tipped the balance was our goal to provide asset owners with information, services and tools. It is a tough call, and a reasoned argument can be made for not releasing.
Comment from Ralph Langner
Time: August 29, 2007, 10:21 am
It’s the right thing to do from an awareness point of view. We have told clients for years: Your PLCs, OPC servers, SCADA systems may be crashed via the network. They said “aha”, went home, and did nothing.
After we actually demonstrated some crashes live, much changed. It was kind of a big bang. Clients began to actually realize the potential magnitude of the problem. It wasn’t theory, it was hard facts. Some even had sleepless nights.
Now we are giving clients some of our test tools for free so that they can demonstrate to management that there really is a problem.
Comment from Jake Brodsky
Time: August 29, 2007, 2:45 pm
I’m not sure what will wake up our managers without waking up legislators at the same time. That is my concern. Setting up a demonstration of an attack and showing it to a crowd of people in a conference or a convention hall, that’s one thing. Posting software to do the same, even to a limited audience, is another.
This program is going to migrate, Dale. The Internet has a much wider audience than most conferences. All someone has to do now is to show this to some legislator’s assistant and before you know it we’ll be buried in half baked legislation.
I hope I’m wrong about this.
Comment from Matthew Franz
Time: August 29, 2007, 4:05 pm
Jake,
I’ve grown cynical over the years about the real liklihood of the negative sort of impact you envision. Over and over again (while I was Cisco) I heard when X vuln gets disclosed or Y tool gets released the Internet will go down, core routers will go down, DNS etc. And yes those sort of concerns were even voiced in the leadup to the disclosure of said ICCP by US-CERT.
Vulnerabilities in lab conditions are always easier to exploit than in the real world. I went through this exercise a number of times and the nightmare scenarios never happend [that we knew of]. It may just be me but I’ve grown sort of deaf to all the “crying wolf.”
Write a comment