23 July 2012 by Andrew Wadsworth
Vulnerability discovered in PI OPC
ICS-CERT published a bulletin disclosing the discovery of a vulnerability in OSIsoft PI OPC DA interface which can allow an attacker to cause a crash or execute arbitrary code on the system.
The bulletin is available on the ICS-CERT website: http://www.us-cert.gov/control_systems/pdf/ICSA-12-201-01.pdf. There is no active exploitation known at this time but crafting one is assessed as requiring 'medium skill' level. A fix is available from OSIsoft (http://techsupport.osisoft.com).
Whilst an attacker has to gain access to the system somehow (e.g. via the network or code on a USB stick) in order to exploit the vulnerability, companies using PI OPC (and a very large proportion of energy companies do) should evaluate the potential impact and consider applying the fix.
This is a good example of system vendors and the US Idaho National Labs and ICS-CERT working together to identify vulnerabilities, create a fix and then make a co-ordinated disclosure (often known as responsible disclosure) of information. OSIsoft have not only made their software available for testing and not tried to hide the results but been open about it and, most importantly, done something about it.Kudos to OSIsoft.
Wondering what we’re talking about? Here’s a brief glossary of terms in this blog:
- ICS-CERT - the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a control system security focus in collaboration with US-CERT
- OSIsoft are a worldwide manufacturer of application software for real-time data infrastructure solutions
- PI system is enterprise infrastructure for management of real-time data and events
- OPC (OLE for Process Control or Open Connectivity) is a standard established by the OPC Foundation task force to allow applications to access plant floor process data in a consistent manner
- DA = Data Access
To find out more about how to protect your process control systems, please contact us.