Today, CISA released the Continuous Diagnostics and Mitigation Program: Identity, Credential, and Access Management (ICAM) Reference Architecture to help federal civilian departments and agencies integrate their identity and access management (IDAM) capabilities into their ICAM architectures. Prior to this release, there was no singular, authoritative, and recognized reference for architecting an ICAM capability across an enterprise. 

This publication provides:

• a description of the federal ICAM practice area, including how ICAM services and components implement ICAM use cases,
• a description of related CDM capabilities,
• an introduction to federation services, and 
• a high-level notional physical implementation.

In addition, it explores zero trust architecture and illustrates how ICAM and CDM help enable it.

CISA encourages federal departments and agencies to use this publication to create their most robust and effective ICAM capability. CISA’s Continuous Diagnostics and Mitigation Program web page offers additional resources.

Fortinet has released security updates to address vulnerabilities (CVE-2023-29183 and CVE-2023-34984) affecting FortiOS, FortiProxy, and FortiWeb. A cyber threat actor can exploit one of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review Fortinet security advisories (FG-IR-23-106 and FG-IR-23-068) and apply the necessary updates.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.0
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: WIBU Systems CodeMeter
• Vulnerability: Heap-Based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to escalate privileges or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• PSS(R)CAPE V14: All versions prior to V14.2023-08-23
• PSS(R)CAPE V15: All versions prior to V15.0.22
• PSS(R)E V34: All versions prior to V34.9.6
• PSS(R)E V35: All versions
• PSS(R)ODMS V13.0: All versions
• PSS(R)ODMS V13.1: All versions prior to V13.1.12.1
• SIMATIC PCS neo V3: All versions
• SIMATIC PCS neo V4: All versions
• SIMATIC WinCC OA V3.17: All versions
• SIMATIC WinCC OA V3.18: All versions
• SIMATIC WinCC OA V3.19: All versions prior to V3.19 P006
• SIMIT Simulation Platform: All versions
• SINEC INS: All versions
• SINEMA Remote Connect: All versions

3.2 Vulnerability Overview

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

In CodeMeter Runtime versions up to 7.60b, there is a heap buffer overflow vulnerability which can potentially lead to a remote code execution. Currently, no PoC is known. To exploit the heap overflow, additional protection mechanisms need to be broken. Remote access is only possible if CodeMeter is configured as a server. If CodeMeter is not configured as a server, an attacker would need to log in to the machine where the CodeMeter Runtime is running or trick a user into sending a malicious request to CodeMeter. This might result in an escalation of privilege. (WIBU-230704-01)

CVE-2023-3935 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as server: Limit remote access to systems where the CodeMeter Runtime network server is running
• SIMIT Simulation Platform: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts
• PSS(R)CAPE V15, PSS(R)E V34, PSS(R)ODMS V13.1: For affected versions: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
  https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
• SIMATIC PCS neo V3, SINEC INS, SINEMA Remote Connect: Currently no fix is planned
• SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18: Currently no fix is available
• PSS(R)ODMS V13.1: Update to V13.1.12.1 or later version
• PSS(R)CAPE V15: Update to V15.0.22 or later version
• SIMATIC WinCC OA V3.19: Update to V3.19 P006 or later version
• PSS(R)E V34: Update to V34.9.6 or later version
• PSS(R)E V35, SIMIT Simulation Platform: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
  https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
• PSS(R)CAPE V14: CAPE V14 installations installed from material dated 2023-08-23 or later are not affected, as they contain a fixed version of CodeMeter Runtime.

For installations of CAPE V14 using material earlier than 2023-08-23: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.

• PSS(R)ODMS V13.0: Install WIBU Systems CodeMeter Runtime V7.60c or later version manually to fix the issue: Download the package from
  https://www.wibu.com/support/user/user-software.html and follow the installation instructions from WIBU Systems.
• PSS(R)CAPE V14, PSS(R)CAPE V15, PSS(R)E V34, PSS(R)E V35, PSS(R)ODMS V13.0, PSS(R)ODMS V13.1, SIMATIC PCS neo V3, SIMATIC PCS neo V4, SIMATIC WinCC OA V3.17, SIMATIC WinCC OA V3.18, SIMATIC WinCC OA V3.19, SIMIT Simulation Platform, SINEC INS, SINEMA Remote Connect: If CodeMeter Runtime is configured as client only in the affected product: Ensure that only trusted persons have access to the system and avoid the configuration of additional local accounts

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-240541 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: QMS Automotive
• Vulnerabilities: Plaintext Storage of a Password, Cleartext Storage of Sensitive Information in Memory, Generation of Error Message Containing Sensitive Information, Server-generated Error Message Containing Sensitive Information, Improper Verification of Cryptographic Signature, Insecure Storage of Sensitive Information, Cleartext Transmission of Sensitive Information, Improper Access Control, Unrestricted Upload of File with Dangerous Type, Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to perform malicious code injection, information disclosure or lead to a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• QMS Automotive: All versions prior to v12.39

3.2 Vulnerability Overview

3.2.1 PLAINTEXT STORAGE OF A PASSWORD CWE-256

User credentials are stored in plaintext in the database without any hashing mechanism. This could allow an attacker to gain access to credentials and impersonate other users.

CVE-2022-43958 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

User credentials are found in memory as plaintext. An attacker could perform a memory dump, and get access to credentials, and use it for impersonation.

CVE-2023-40724 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

3.2.3 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

The affected application returns inconsistent error messages in response to invalid user credentials during login session. This allows an attacker to enumerate usernames, and identify valid usernames.

CVE-2023-40725 has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.4 SERVER-GENERATED ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-550

The affected application server responds with sensitive information about the server. This could allow an attacker to directly access the database.

CVE-2023-40726 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.5 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

The QMS.Mobile module of the affected application uses weak outdated application signing mechanism. This could allow an attacker to tamper the application code.

CVE-2023-40727 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.6 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

The QMS.Mobile module of the affected application stores sensitive application data in an external insecure storage. This could allow an attacker to alter content, leading to arbitrary code execution or denial-of-service condition.

CVE-2023-40728 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

3.2.7 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected application lacks security control to prevent unencrypted communication without HTTPS. An attacker who managed to gain machine-in-the-middle position could manipulate, or steal confidential information.

CVE-2023-40729 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

3.2.8 IMPROPER ACCESS CONTROL CWE-284

The QMS.Mobile module of the affected application lacks sufficient authorization checks. This could allow an attacker to access confidential information, perform administrative functions, or lead to a denial-of-service condition.

CVE-2023-40730 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

3.2.9 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected application allows users to upload arbitrary file types. This could allow an attacker to upload malicious files, that could potentially lead to code tampering.

CVE-2023-40731 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N).

3.2.10 INSUFFICIENT SESSION EXPIRATION CWE-613

The QMS.Mobile module of the affected application does not invalidate the session token on logout. This could allow an attacker to perform session hijacking attacks.

CVE-2023-40732 has been assigned to this vulnerability. A CVSS v3 base score of 3.9 has been assigned; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• QMS Automotive: Update to V12.39 or later version. The patch is available upon request from customer support.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-147266 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• September 14, 2023: Initial Publication

CISA released seven Industrial Control Systems (ICS) advisories on September 14, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-23-257-01 Siemens SIMATIC, SIPLUS Products
• ICSA-23-257-02 Siemens Parasolid
• ICSA-23-257-03 Siemens QMS Automotive
• ICSA-23-257-04 Siemens RUGGEDCOM APE1808 Product
• ICSA-23-257-05 Siemens SIMATIC IPCs
• ICSA-23-257-06 Siemens WIBU Systems CodeMeter
• ICSA-23-257-07 Rockwell Automation Pavilion8

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.5
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: SIMATIC Field PG and SIMATIC IPC
• Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated local user to potentially read other users’ data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products of Siemens, are affected:

• SIMATIC Field PG M6: All Versions
• SIMATIC IPC BX-39A: All Versions
• SIMATIC IPC PX-39A: All Versions
• SIMATIC IPC PX-39A PRO: All Versions
• SIMATIC IPC RW-543A: All Versions
• SIMATIC IPC627E: All Versions
• SIMATIC IPC647E: All Versions
• SIMATIC IPC677E: All Versions
• SIMATIC IPC847E: All Versions

3.2 Vulnerability Overview

3.2.1 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access.

CVE-2022-40982 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Multiple
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Ensure that only trusted persons have access to the system and avoid the configuration of additional accounts.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-981975 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• September 14, 2023: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global). 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: Parasolid
• Vulnerabilities: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Parasolid, a 3D geometric modeling tool, are affected:

• Parasolid V34.1: all versions prior to V34.1.258
• Parasolid V35.0: all versions prior to V35.0.253
• Parasolid V35.0: all versions prior to V35.0.260
• Parasolid V35.1: all versions prior to V35.1.184
• Parasolid V35.1: all versions prior to V35.1.246
• Parasolid V36.0: all versions prior to V36.0.142
• Parasolid V36.0: all versions prior to V36.0.156

3.2 Vulnerability Overview

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-41032 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-41033 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Parasolid V34.1: Update to V34.1.258 or later version
• Parasolid V35.0: Update to V35.0.253 or later version
• Parasolid V35.1: Update to V35.1.184 or later version
• Parasolid V36.0: Update to V36.0.142 or later version
• Parasolid V35.0: Update to V35.0.260 or later version
• Parasolid V35.1: Update to V35.1.246 or later version
• Parasolid V36.0: Update to V36.0.156 or later version
• Do not open untrusted X_T files in Parasolid

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-190839 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this (these) vulnerability(ies), such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• September 14, 2023: Initial Publication

In recognition of National Preparedness Month, CISA’s Chief Meteorologist, Sunny Wescott, talks about a lesser-known side of CISA – our role in helping critical infrastructure prepare for and respond to natural disasters.

Mozilla has released security updates to address a vulnerability affecting Firefox, Firefox ESR, and Thunderbird. A cyber threat actor can exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Mozilla’s advisory (MFSA 2023-40) and apply the necessary updates.