Vulnerabilities in RuggedCom ROS-based Devices

RuggedCom switches and serial-to-Ethernet devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.
Potential vulnerabilities in the web server’s authentication of the affected products might allow attackers to gain administrative access to the web interface over the network without authentication or unprivileged users to perform privilege escalation.

AFFECTED PRODUCTS
- RuggedCom devices with ROS version < ROS v3.12.2

RuggedCom and Siemens recommend upgrading to the current firmware version ROS v.3.12.2 which fixes the potential vulnerabilities.

Click HERE for more details.

Vulnerability in the RuggedCom Rugged Operating System (ROS) – Bulletin from RuggedCom

RuggedCom has posted today (2012-08-31) some important information about the RuggedCom Private Key Vulnerabilities for HTTPS/SSL and SSH.

On that page you find crucial information about affected products, descriptions of the Vulnerabilities, fixes, and recommendations.

As this Vulnerabilities shows there is a need for an increasing awareness of security issues – and a need for more resources: to develop, implement and apply security measures – and education.

When did you talk last time with your management about making your system or IED more secure? Maybe it’s time to talk to them again … and again … and again.

Do you know the most secure protocol? No? It is the protocol that never was developed, implemented, or in use. ;-)

I am kidding. Sure. The Internet was originally invented for “wide-open” communications. This is long-time ago. Today it could be assumed that many new application domains will use the “Internet Technology” to build the x-Webs (Energy-Web, Power-Web, Smart Grid Web, …).

Be serious on security! Please!

Access the RuggedCom Security Updates.

Security Issue with RuggedCom Network Devices

The operating system (ROS) used in RuggedCom network devices has (according to the ICS-CERT Operations Center) a problem with a private key which may be used by an attacker.

A report states, that “the vulnerability can be used to decrypt SSL traffic between an end user and a RuggedCom network device.”

Access the complete Report from ICS-Cert.

The other day I said:

It is HIGHLY recommended to ALL stakeholders in the energy
industry to keep an close eye on the security issues!!

I hope that more responsible managers will understand that implementing the needed measures is crucial to meeting their mission (not looking to comply with a standard or other specification) – this costs money … but it is a prerequisite for running your business in the future!

Don’t expect that nothing will happen!

Experts, responsible for Substation Automation Systems that use ROS based network devices, should keep an eye on the issue!

Siemens Industry to take over RuggedCom

The Siemens division Industry (not Energy!) announced yesterday (2012-01-30) that they agreed with RuggedCom to acquire Canadian network supplier RuggedCom Inc. The other day it was reported that Belden was trying to take over RuggedCom.

Click HERE for the Siemens press release from 2012-01-30.

It is quite interesting to see how long it took to make Ethernet an enjoyable solution:

Excerpt from the press release: “Siemens’ portfolio of industrial Ethernet networking components is enjoying above-average growth rates compared to the competition. Until now, the main emphasis of Siemens’ installed base in this segment has been in Europe. “RuggedCom’s portfolio would be an ideal addition to our range of industrial Ethernet communication products, improving our industrial-quality router and switch offering. In addition, the acquisition would improve our footprint in the North America and the Asia-Pacific region,” said Anton S. Huber, CEO of the Siemens Industry Automation Division. Huber also indicated that all of RuggedCom’s and Siemens’ product lines would be developed further in the next few years.”

What is meant by “competition” in the statement “industrial Ethernet networking components is enjoying above-average growth rates compared to the competition”? Is Ethernet competing with the “Profi”- and many other Fieldbusses … Profibus and ProfiNet … FF fieldbus …?

For me this deal indicates that the native Ethernet solution as provided by RuggedCom and used in IEC 61850 is the most “enjoyable” and successful network solution in the next 20 years or so! RuggedCom is (as Belden/Hirschmann) quite active in the IEC 61850 standardization.

When I worked for Siemens Industry in the early 90s, I recommended to use native Ethernet instead of fieldbusses … now we write 2012 – 20 years later.

Click HERE for the paper “Bridging MAP to Ethernet” [PDF, 720 KB, 1991]

Click HERE for the paper “Fieldbus standardization: Another way to go” [PDF, 720 KB, 1991].

Belden seeks to acquire networking specialist RuggedCom ‎

Ruggedized network infrastructure compliant to IEC 61850-3 is crucial for the implementation of Smart(er) Grids. RuggedCom – one of the well known brands in the substation domain – is one of the companies that offers network components to build the needed communication infrastructure.

One of RuggedCom competitors, Belden (Hirschmann is a brand of Belden), wants to take RuggedCom over.

Click HERE for the press news.

This shows that the Power Industry is following the native Ethernet solutions. IEC 61850 is based on the native Ethernet solution in contrast to the industrial automation domain where a lot of even standardized solutions like EtherCat, ProfiNet, PowerLink, … compete with each other Ethernet-based and traditional Fieldbuses, e.g., Profibus, CAN, Interbus, …

The Electric Power System has a highly standardized process: the 3 phase A.C. system (50 or 60 Hz). This single process requires a single communication solution: IEC 61850 based on native Ethernet.