New Vulnerability Discovery Reportedly Abuses Same Protocol Used in Industroyer/CRASHOVERRIDE

Successful exploitation of the vulnerability recently published in ICS-CERT Advisory ICSA-20-042-12 regarding Siemens SIPROTEC 4 and SIPROTEC Compact (reported in the Security & Resilience Update for February 13, 2020) is believed to allow an attacker to reproduce damage caused by Industroyer/CRASHOVERRIDE, the ICS-specific malware used to attack the Ukraine electric grid in 2016. A researcher at ICS cybersecurity firm Claroty responsibly disclosed the vulnerability to Siemens, and is now providing a few more public details to inform asset owners to the potential impact to their environments. According to Claroty, this Digsi4 protocol allows users to program the protection relay and change its behavior. Like many ICS hardware using proprietary protocols, securing these critical devices requires deep understanding of those protocols, a fundamental knowledge of Operational Technology (OT) security, and continuous research to find and map potential vulnerabilities—whether in the design of the protocol, implementation, or determining attempts to abuse it. A defense strategy for addressing these types of vulnerabilities would be to review the Consequence-driven, Cyber-informed Engineering (CCE) methodology developed at Idaho National Labs. WaterISAC’s 15 Cybersecurity Fundamentals, #6 – Install Independent Cyber-Physical Safety Systems discusses CCE. Read more about the vulnerability at Claroty