I tweeted on this OSIsoft self-disclosure last week:
It’s huge that OSIsoft self reported these and even provided summary CVSS info. Continued leadership in ICSsec space https://t.co/YL3dYw3HxU
— Dale Peterson (@digitalbond) August 14, 2015
But I want to write a bit more because this is not only new, or at least extremely rare, but hopefully will be an example that other vendors pick up.
There are a lot of good things about these 56 fixed vulnerabilities. Yes good news about vulns. First, OSIsoft is looking for and fixing vulnerabilities in their legacy code, and not just when they get a report from a researcher. They have been working on their Security Development Lifecycle (SDL) for years, and presented on the success and failures at a couple of S4 conferences.
This is great for new projects and products, but OSIsoft and most other ICS vendors are dealing with a lot of legacy code. It is a tough internal sale to convince management it is worth spending money to go through old deployed code and find and fix the bugs that lead to vulns.
OSIsoft is not alone in doing this. There are a number of vendors that have been working on this for 5+ years and are showing some great results. Still not a majority of the vendors, and not in the embedded devices, but more than a handful of vendors writing ICS software for servers and workstations have really stepped up their SDL.
It is challenging enough to convince management to find security problems in deployed code that no one is complaining about, and then spending the money to fix the bugs that lead to vulns. This is where most ICS vendors stop. They do the dreaded silent fix. They put out a new minor release of the code, talk about a few small known bug fixes and features, but never mention that the release also fixes some important vulnerabilities.
The problem with this is owner/operators cannot make an informed decision about whether to upgrade without this information. I know SCADA lifers will say that almost no one upgrades, but it’s a brave new world in ICS and even if they choose not to upgrade it will be an informed decision that they will need to live with ramifications.
So OSIsoft announces that there are 56 vulnerabilities fixed in the new version and even provides basic information on the CVSS scores. They rate 21 of the 56 high, so you may want to consider the upgrade decision of a PI Server that often communicates between security zones of different trust levels carefully.
The final bit of applause comes from the information on their customer portal, which I cannot disclose here. They do provide a bit more information on the classes of vulnerabilities, but not enough to substantially help an attacker. More importantly, this information has been out for PI customers since the release date, June 30th. Some will disagree, but personally I like the vendor giving customers who follow the support channel a two to three month head start on vulnerabilities and patches that are not yet public.
I’ll end this post with Bryan Owen of OSIsoft’s tweet thanking some of those that helped make this happen:
+collaboration creds this cycle: @IOActive review critical bits @DejavuSecurity Peach @cigital @michael_howard #SDL https://t.co/wiXYmWvblO
— bryan owen (@bryansowen) August 14, 2015