Last week, the Department of Homeland Security’s ICS-CERT released an advisory for the Advantech WebAccess product. The advisory detailed 15 different vulnerabilities, reported by at least seven different security researchers. They said that the vulnerabilities could be exploited remotely, and that an attacker with “low skill” would be able to eploit the vulnerabilities.
Patrick Coyle pointed out that the release notes and press release for this update, released by Advantech in late December, don’t have any indication that the update has any security-related patches. This, despite having 15 different vulnerabilities being fixed!
For people who are lucky enough to live in the NERC CIP world, this creates an interesting situation. Organizations are required to monitor a “patch source” for cyber security patches. This is likely to be the vendor, in this case Advantech. (Note: I don’t want it to sound like I’m picking on Advantech. The same situation happens with other vendors, too.) If the patch isn’t security-related, then the organization is not required to apply the patch. If the patch is security-related, then they either need to apply the patch or else create a mitigation plan for how they will prevent the vulnerability from being exploited.
Since the Advantech release notes didn’t say anything about this patch being security-related, the organization would have stopped there. Now, a month later, ICS-CERT releases their advisory and we found out, “Oh, that patch was security-related.” Here’s the kicker, though: The organization isn’t required to scour the Internet looking for vulnerability reports. They aren’t required to monitor ICS-CERT, they’re not required to monitor Full Disclosure, nothing. They did what they were required to do when they checked Advantech’s release notes and didn’t find anything that said it was security-related.
So now, we’re in a situation where the organization has a system with at least 15 publicly disclosed vulnerabilities. For the CIP patch management process, they did what they were supposed to do. The compliance people checked to make sure that they evaluated the Advantech patch. The operations people have a product they’re using, and if it’s working, they aren’t going to want to apply an update. The security people may or may not exist, and if they do exist, they may or may not be monitoring ICS-CERT (although I hope they would be).
The bottom line is, you have an entity which is fully compliant with the NERC CIP regulations, which have regulations in place requiring you to apply security patches, yet this security patch hasn’t been applied.
Workentin's Cybersecurity Blog 