So many advisories on critical security flaws are issued by ICS-CERT, the U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, I'm posting updates here on a regular basis. (See: Advisory: Industrial Wireless Gateway Vulnerabilities.) One of the latest is an urging to patch IGX industrial control systems.
One of the most recent advisories is for companies in the UK, US, and more than 30 other countries to adopt a fix that was just released for the IntegraXor (IGX) industrial control software. The fix was necessary after a discovery of a Zero Day vulnerability whereby attackers can crash systems.
Produced by Malaysia's Ecava Sdn Bbd, the software problem is a toolset that creates and runs a web-based human-machine interface (HMI) to SCADA industrial control systems and was revealed at the S4 conference January 15 by security researcher Luigi Auriemma. ICS-CERT issued an alert the same day Auriemma revealed the flaw -- that CVE-2014-0753b is a buffer-overflow vulnerability, allowing remote attackers to target the system.
This situation really comes down to the fact that the researcher didn't coordinate with ICS-CERT instead of revealing the issue publicly first, according to the ICS-CERT's Advisory (ICSA-14-016-01). There is now a patch version by Ecava that mitigates the current vulnerability.
While it is consistently stated that industrial companies are particularly weak regarding cybersecurity, there needs to be procedures and processes in place to monitor activity across their entire system to be able to spot anomalies. This is seldom done.
As a result, notice how much more often advisories are issued?
— Carolyn Mathas is a freelance blogger and editor for EE Times' Industrial Control Designline