ICS

Hello All. Researchers as Claroty, well kn0wn OT passive monitoring vendor have disclosed multiple critical vulnerabilities in vendor implementations of the Open Platform Communications (OPC) network protocol.

What is the OPC Protocol Anyway?

OPC communicates information from a data source such as a server to any client application in a standard way without requiring the application to have any specific knowledge about the data source such as its communication protocols. When diverse OT systems are required to communicate with each other a separate protocol or method is required for each device. As a solution the OPC (linking and correlating objects in process control) standard was developed.

OPC is a communication standard known as the OLE / COM (object Linking & Embedding / component object model) standard, based on Microsoft’s object-oriented technology aimed at integration between different applications, to make the connection between different units in automation systems fast and reliable.

Claroty’s Findings

The vulnerabilities affect the following vendors and products: Softing’s Industrial Automation OPC library, Kepware PTC’s ThingWorx Kepware Edge and KEPServerEX OPC servers, and Matrikon’s Matrikon OPC Tunneller.

These three products are integrated into many other vendors’ offerings as a third-party component. For example, Softing’s OPC library is being used as a third-party OPC protocol stack by some vendors, and the KEPServerEX OPC Server is being used as an OEM shelf solution by other well-known vendors, including Rockwell Automation and GE, both of which have published advisories informing their users of these security issues. We believe these vulnerabilities may affect multiple other products sold by vendors across all ICS vertical markets. Here is a list of the vulnerability CVEs:

Softing Industrial Automation GmbH

  • CVE-2020-14524: Heap-Based Buffer Overflow (CWE-122)
  • CVE-2020-14522: Uncontrolled Resource Consumption (CWE-400)

Kepware PTC

  • CVE-2020-27265: Stack-based buffer overflow (CWE-121)
  • CVE-2020-27263: Heap-based buffer overflow (CWE-122)
  • CVE-2020-27267: Use-after-free (CWE-416)

Matrikon Honeywell OPC DA Tunneler

  • CVE-2020-27297: Heap overflow due to integer overflow (CWE-122)
  • CVE-2020-27299: Information leak due to OOB read (CWE-125)
  • CVE-2020-27274: Improper check for unusual or exceptional conditions (CWE-754)
  • CVE-2020-27295: Uncontrolled resource consumption (CWE-400)

Claroty are urging users of these products to upgrade to the latest version to mitigate these vulnerabilities.

Read more

The report is based on a study conducted by staff at FERC, NERC and NERC regional entities. The study is based on information provided by experts at eight U.S. electric utilities of various sizes and functions, and its goal was to help the industry improve incident response and incident recovery plans, which authors of the study say help ensure the reliability of the bulk electric system in the event of a cybersecurity incident.

The study found that there is no best incident response and recovery (IRR) plan model. The IRR plans of the targeted utilities share many similarities — they are based on the same NIST framework (SP 800-61) — but there are also differences, and some organizations have developed separate plans for incidents impacting their operational and business networks.

Read more