ICS Advisory (ICSA-22-221-02) Vulnerabilities in Emerson ControlWave

Joint Report of NERC and Texas RE Regarding Inverter-Based Resource Performance Identifies Reliability Risk

August 11, 2022

Industry Webinar Regarding Extreme Cold Weather Grid Operations, Preparedness, and Coordination

August 11, 2022

Published by Certrec on August 11, 2022

Summary:

CISA is aware of a public report, known as “OT:ICEFALL,” that details vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and to identify baseline mitigations to reduce risks to these and other cybersecurity attacks. Successful exploitation of this vulnerability could cause file manipulation, remote code execution, or denial-of-service.

Additional Discussion:

The following versions of ControlWave, a programmable controller, are affected:

ControlWave: All versions

Link

https://cwe.mitre.org/data/definitions/345.html

Mitigation

Emerson ControlWave firmware updates can be restricted by the following methods:

A hardware switch can be set to block remote firmware download.
System variable “_APPLICATION_LOCKED” can be set TRUE to disable remote firmware download.
Before installing firmware into the RTU, confirm the MD5/SHA256 Hashes published by Emerson on SupportNet (login required) match the firmware image, confirming it is genuine and unmodified.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Certrec

Comments are closed.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.