Security Updates

Security Updates

  • Add to My Bookmarks
  • SHARE 
Meltdown and Spectre Vulnerabilities

Honeywell is aware of the recently published Meltdown and Spectre vulnerabilities. These vulnerabilities take advantage of optimization methods for CPU instruction execution and could cause information disclosure. There are no known exploits at this point in time. Honeywell is actively qualifying patches as they become available to mitigate the Meltdown and Spectre vulnerabilities. Honeywell will continue to work with our hardware partners in order to identify and qualify security patches to impacted hardware as these patches become available.


Experion – Microsoft Windows


Honeywell has qualified the following updates for Windows. Note that KB4056890, supported in the previous qualification, is superseded by KB4057142.

Operating System Version

Update KB

Windows 7 SP1 and Windows Server 2008 R2 SP1

KB4056894

Windows 8.1 and Windows Server 2012 R2

KB4056895

Windows Server 2012

KB4056896

Windows 10 Version 1607 and Windows Server 2016

KB4057142

 

These updates are included in the January Microsoft Security Updates at www.honeywellprocess.com.

The January 2018 ISO Data Sheet is located at  https://www.honeywellprocess.com/library/support/security-updates/Entitled/Microsoft-Security-Updates-ISO.pdf

Microsoft released updates for Windows Server 2008 SP2 and Windows Server 2012 OS in March.

Operating System Version

Update KB

Windows Server 2008 SP2

KB4089229

Windows Server 2012

KB4088877

 

Microsoft released an out-of-band update for Win 7 and Server 2008. This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows.

Operating System Version

Update KB

Windows 7 Service Pack 1 and Windows Server 2008 R2 Service Pack 1

KB4100480

The Honeywell-Qualification-Matrix (HQM) is located at  https://www.honeywellprocess.com/library/support/security-updates/Customer/Honeywell-Qualification-Matrix.zip

Experion - Honeywell Qualified PC Platforms

Honeywell is working with PC manufacturers to obtain the latest security fixes. Honeywell will qualify BIOS and driver updates as they become available from our vendors.

Experion - Symantec

Honeywell will qualify the release fixes for SEP 14 RU1 MP1 & SEP 12.1.6 MP9 when they become available.

Experion - McAfee

McAfee is testing to ensure product compatibility with operating system patches related to Meltdown and Spectre. See the following link for current status and further updates: https://kc.mcafee.com/corporate/index?page=content&id=KB90167

Microsoft introduced a new registry key with this update, to control whether the update will be available via the Windows Update service. Starting with January 12th DAT (8772), customers who use Virus Scan Enterprise (VSE) 8.8 and receive their DAT updates through ePolicy Orchestrator (ePO) will have the registry key automatically updated.

The DAT adds the check for the registry key, and sets it if it is not present. Customers who have already set the registry key should not have any issues.

For customers who do not use ePolicy Orchestrator (ePO), Honeywell recommends that they run a new McAfee tool to deploy the required registry key. See the following link for further information related the tool: https://kc.mcafee.com/corporate/index?page=content&id=KB90167. This tool is validated for use on Honeywell McAfee qualified systems. Click here for information about how to download and run the New McAfee tool.

Experion - Virtualized Systems (VMWare)

Honeywell has qualified the following updates for VMWare (see https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html for the VMWare Security Advisories related to Meltdown and Spectre):

WMware Product

Product Version

Running On

Severity

Replace with/Apply Patch

Mitigation/ Workaround

ESXi

6.0

Any

Important

ESXi600-201711101-SG

None

ESXi

5.5

Any

Important

ESXi550-201801301-BG*

None

*ESXi550-201801301-BG mitigates both CVE-2017-5753 and CVE-2017-5715. This patch is not applicable if a host has already applied the ESXi550-201801401-BG patch.

Experion - Series A (C200, FIM2, IOLIM, ...) and Series C (C300, FIM4+, …) Controllers

These controllers are based on the PowerPC processor, which is not at risk from Meltdown. Honeywell is investigating the impact of Spectre on these controllers.

Experion - Wyse Thin Client

There is no hardware update for the Wyse Z90. Honeywell will qualify Wyse security update when it is available.

Safety Manager

The Safety Manager Safety Processor (QPP module), Universal Safety IO (USIO) and the Fail Safe Controller (FSC) are not at risk from Meltdown and Spectre. The communication module (USI) is not at risk from Meltdown; the impact of Spectre on the USI is under investigation.

One Wireless

Honeywell OneWireless products are not at risk from Meltdown and Spectre.

Other applications (Mozilla, Chrome, SQL, IE11, etc.)

For Honeywell qualified applications such as IE and SQL, Honeywell has validated Microsoft updates based on the Microsoft recommendations at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002. These updates are included in the January Microsoft Security Updates at www.honeywellprocess.com. Some of the updates, such as SQL, require manual installation. For any unqualified browser or application installed, Honeywell recommends that you check the vendor site for recommendations. As part of the January Microsoft update qualification, Honeywell qualified SQL Server 2008 SP4 GDR and SQL Server 2008 R2 SP3 GDR. These are available in January ISO image.

Microsoft recently provided updates for SQL Server 2014 SP2 GDR and SQL Server 2012 SP3 GDR. Honeywell is planning to validate these updates and make them available as appropriate in the February ISO image.

4057120 Description of the security update for SQL Server 2014 SP2 GDR: January 16, 2018

4057115 Description of the security update for SQL Server 2012 SP3 GDR: January, 2018

Performance Impact (All Systems and Applications)

Note that mitigations for these vulnerabilities may decrease PC platform performance; the magnitude of the decrease depends on the specific platforms in use. Honeywell is evaluating the performance impact of mitigations. For all Honeywell products, including Honeywell applications that run on standalone platforms, care should be taken to ensure that this decrease in platform performance does not significantly affect critical operations.

For more information on these vulnerabilities, please see https://www.us-cert.gov/ncas/current-activity/2018/01/03/Meltdown-and-Spectre-Side-Channel-Vulnerabilities and https://www.us-cert.gov/ncas/alerts/TA18-004A.

It is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches.


TRITON or HatMan

Malware, known as TRITON or HatMan, was recently discovered as reported by the National Cybersecurity Communications Integration Center (MAR-17-352-01). According to the published report, Hatman directly interacts with, remotely controls, and compromises Triconex safety systems.

Although Honeywell systems are not affected by this attack, Honeywell recommends the following actions to assure DCS and Safety Systems remain protected:

  1. Read and implement the best practices as defined in the Experion Network Security Guidelines and Safety Manager safety manual.  Review the ICS-CERT statement.

  2. Use and verify change management procedures with the Safety Manager key switch.  Please refer to the Safety Manager safety manual (rev R153.4, Section 3) about key positions.  Assure that remote load is disabled.

  3. Implement whitelisting on the engineering workstation nodes where configuration is performed for DCS (ControlBuilder) and Safety (SafetyBuilder).  Honeywell has supported solutions for both McAfee and BIT 9 whitelisting solutions.  For customers that do not have their Experion system whitelisted today, they can whitelist a single end node (unmanaged node) without an ePO server using McAfee whitelisting.  Customers that are using whitelisting in their Experion systems today should make sure they have the latest policy files from Honeywell.  Honeywell service technicians can perform the installation and configuration.

  4. In addition to isolating network access for SIS systems, ensure the Windows Firewall is enabled on engineering workstation nodes where configuration is performed for DCS (ControlBuilder) and Safety (SafetyBuilder).   Assure that communication is only permitted between the engineering workstation and the associated control devices – no external communication should be permitted.  Honeywell uses port 51010 for its SIS communications.  An added protection is to create a firewall rule that blocks all outgoing traffic used on that port.  You can disable that rule when you need to use the Safety Builder to communicate to the SIS.  If you are using the McAfee firewall, you can alternatively create a custom rule override to only allow the Safety Builder application to use that port, blocking all other applications. Please contact Honeywell for additional information.   

We will continue to monitor TRITON and update this guidance as necessary. 

Additional information about TRITON can be found at the following links:

https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan%E2%80%94Safety-System-Targeted-Malware


Bad Rabbit

A new ransomware outbreak has been identified as “Bad Rabbit” and is currently known to infect targets by utilizing a fake Adobe Flash installer that is presented to the user to download and install via a “drive-by attack” when visiting a website that is distributing this malware. Once infected, this malware utilizes a known vulnerability in SMBv1 to infect additional targets on the network. This ransomware encrypts the full disk, modifies the Master Boot Record (MBR) and forces a reboot at which point the node will prompt the end user to pay the ransom. 

It is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported.


Goldeneye / Petya Malware

A recent ransomware outbreak is utilizing a known vulnerability in SMBv1 to infect targets. This ransomware encrypts the Master File Table (MFT) and forces a reboot, at which point the node will prompt the end user to pay the ransom. Currently it’s being reported to be spread via phishing attacks and once the ransomware enters a network, it attempts to spread through the use of WMIC and PSEXEC allowing the ransomware to impact machines that otherwise would not be vulnerable to the SMBv1 exploit vector. It is being reported that the email address used to facilitate unlocking of an infected machine has been shut down and therefore paying the ransom will no longer work.

It is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported. Also see the Alert issued by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-181-01B.

CrashOverride/Industroyer Malware

Malware currently referred to as either “CrashOverride”  or “Industroyer” is an industrial control system attack platform that is gaining attention due to the nature of its target platforms in addition to its modular design. The variant currently known to the security industry targets four protocols - IEC101, IEC104, IEC61850 and OPC DA - and is specifically designed to target industrial control systems used in electricity generation. We are actively monitoring threat intelligence platforms to determine potential risk and deterrence mechanisms. Please refer to Honeywell Recommends Steps to Mitigate Threats Posed by Malware below to mitigate threats posed by malicious software agents.

WannaCrypt Ransomware

On May 12, 2017 it was widely reported that many businesses were infected by ransomware. If you have a concern about your Process Control Network, it is recommended that you follow the best practices described on this page under “Honeywell Recommends Steps to Mitigate Threats Posed by Malware,” including installing the latest qualified Windows patches. For more information about this specific ransomware, see the report issued by the United States Computer Emergency Readiness Team (US-CERT) at https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported.

WannaCrypt is the one of many names that have gained traction for the ransomware that has had devastating effectiveness in spreading and infecting machines across the globe. It is taking advantage of an SMB exploit within Windows versions starting in Windows Vista (earlier versions may be impacted but they are no longer supported by Microsoft and were omitted from the announcement) and up to and including Windows 10 / Server 2016. Microsoft released a patch for this vulnerability that has been qualified in the SUIT image in the March ISO. McAfee and Symantec have also released emergency Signature (DAT) files that Honeywell has qualified. Customers should immediately:

  1. Ensure they have the latest SUIT patches installed

  2. Ensure they have the most up to date DAT files installed

Malware and Antivirus support

 
Honeywell supports the use of McAfee and Symantec antivirus packages as part of our industrial control solutions. McAfee and Symantec continuously monitor emerging cyber security threats and update their software to address threats.

 
Honeywell Recommends Steps to Mitigate Threats Posed by Malware

 
The following steps are recommended to mitigate threats posed by malicious software agents.
  1. Ensure that your antivirus software is up to date with the latest qualified packages.

  2. Ensure that host platforms are up to date with the latest qualified patches.

  3. Ensure that there are no e-mail clients on any nodes of your process control network.

  4. Use a firewall and DMZ for the business network to process control network interface.

  5. Use Honeywell's High Security Network Architecture to lock down the nodes in your system. 

  6. Restrict and monitor all I/O devices on your process control network. (IE, USB, CD/DVD drives) 

  7. Review the Experion Network and Security Planning Guide for additional guidance on securing your installation.


 
Additional Security Information

 
Honeywell Process Solutions publishes Security Notifications in the event that a product has a security vulnerability that has been resolved. Please subscribe to security notifications in order to ensure that your Honeywell products are up-to-date.

 
To report a security vulnerability against a Honeywell product, please visit

 
For more information about cyber security products and solutions please visit www.BeCyberSecure.com.

 

National Cybersecurity and Communications Integration Center (NCCIP) Guidance


 

Honeywell also recommends that customers review the Destructive Malware white paper issued by the National Cybersecurity and Communications Integration Center (NCCIP) at https://ics-cert.us-cert.gov/sites/default/files/documents/Destructive_Malware_White_Paper_S508C.pdf

​​​​​​​ ​​​​​​​​​​​​​​​​​​​​​​​

Finding the information you need is important to us.

Did you find what you were looking for today?

  Yes      No

How likely are you to recommend HoneywellProcess.com to a colleague?

  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

Not at all likely

Extremely likely

How can we serve you better?

Your email:

Your email address will help us get in touch with you to resolve your query/ concern.