10 Replies Latest reply on May 23, 2016 11:57 AM by Chris Kerr

    Do you need to upgrade your SAGE Firmware for security purposes?

    Chris Kerr

      The attached document is to help customers decide whether or not it is required for them by NERC CIP to update the firmware in their SAGE RTU’s.


      Though not a security issues, both C3413 (586) and C3414 (LX800) need to be update with the latest firmware since it has a patch for the ActiveX problem with IE 10 and IE 11. Please refer to config@web_IE11_settings_V1.1.pdf  Item 5 under Known Issues section for more info.


      1) Were there any patches or updates addressing security issues in the latest C3413 firmware or Operating System? The latest version is C3413-500-001F0_PB

       

      In the C3413-500-001F0 Firmware release, we addressed the following security concerns:

        • ISaGRAF now runs only if some point is mapped (security – removes unused IP ports).
        • Debugger removed from VxWorks (security – removes unused IP ports)
        • Added new Connection Status points for new connection established on DNP Ports.
        • Strong Passwords are now enforced.
        • DNPR Port filtering

       

      In the C3413-500-001D3 we addressed the following potential security issue:

        • DNP TCP/IP changes to handle garbage data in the input stream.

       

      2) Were there any patches or updates addressing security issues in the latest C3414 non-secure firmware or Operating System?

      In the C3414-500-001G0 Firmware release, we addressed the following security concerns:

        • Comply with NERC/CIP vulnerability document (http://www.us-cert.gov/control_systems/pdf/ICSA-10-214-01.pdf) regarding password hash weakness and remove debug task and port to prevent exploitation
        • Verify version of VxWorks is G0 or greater to allow registration of watchdog service function for use with network security protocols.

      In the C3414-500-001F0 Firmware release, we addressed the following security concerns:

        • VxWorks changed to remove anonymous FTP login
        • ISaGRAF now runs only if some point is mapped (security – removes unused IP ports).
        • Debugger removed from VxWorks (security – removes unused IP ports)

       


      3) What security issues are addressed in the C3414 Secure firmware?

      Secure Features

      Non-Secure Features

      HTTPS (Secure Web Browser)

      HTTP

      SSH

      Telnet

      SFTP

      FTP

      Removed ActiveX Controls

      Up/Download & Data Trap ActiveX

      One file firmware update

      GUI, Application, OS

      One file Config Update

      XML, Templates, IP Address

      Centralized User Management

      Users changed in RTU.

      Secured Local Console (UIF port)

      Local Console Open

      Built in Firewall

      No Firewall

      Persistent Routing Tables

      No Routing Table

      Login Statistics

       

      Command Log

       

      Capture PCAP Network Data in RTU

       

      IPSec


       

      In the C3414-500-S02J2 Firmware release, we addressed the following security concerns:

        • Use (or not using) of secure and non-secure protocols is now configurable via the CPU config page.  Can choose to use HTTPS or HTTP or both. SSH and / or Telnet.  SFTP and or FTP.
        • vxWorks OS: Added fix for ICS-VU-532813 VxWorks Vulnerability (RE: Case: 00001357/VXW6-83790) regarding predictable TCP sequence number generation.
        • Fixes to Command Log Performance

       

      In the C3414-500-S02J1 Firmware release, we addressed the following security concerns:

        • Web Server: Update OpenSSL source to version 0.9.8za.
        • Disabled SSL v2 and weak cypher protocols using short security key sizes (<64bits).
        • Added support for SSL 3.0 and TLS 1.0
        • IPSec

       

      In the C3414-500-S02J0 Firmware release, we addressed the following security concerns:

        • Both secure and non-secure protocols are now selectable from GUI.
        • Added SSH fixes to eliminate known security vulnerabilities.
        • Added SSH fixes to eliminate known security vulnerabilities.
        • Command Log added.
        • Login attempts, successes and failures from GUI, console, remote shell, and file transfers now logged into the userlog.
        • Added ACC points to count login successes and failures. Added STS point to alert for failed login attempts.
        • Added internal STS and ACC points to indicate firmware update package installation success or failure.

       

      Message was edited by: Chris Kerr Added IPSec to list of Security Features