I’m sure you have heard or read about the current issue relating to a big security vulnerability in certain CPU chips (mainly Intel CPU’s), called ‘Spectre’ and ‘Meltdown’. If not, please see the ‘What is it?’ section below for further information. A lot of software vendors (Microsoft/Linux/Apple etc.) are either in the process of, or have created, software patches to mitigate against this vulnerability.
In addition, it has been widely advertised that when such patches are applied, the machine and applications running on it could suffer a significant performance degradation (~30% in the worst cases).
SolutionsPT uses a wide-variety of hardware and software vendors in the products and services we deliver. To ensure that you have the latest information available for your system, SolutionsPT have put together the following information bulletin for each specific vendor which details the current advice and provides additional resources, direct from the vendor, to keep you up-to-date now and in the future.
As you can appreciate, this is a fluid situation and information is updated frequently. SolutionsPT recommends checking the vendor-specific websites for the latest information for the software and/or hardware you currently use.
SolutionsPT would also like to remind customers that patch management should form part of an overall, proactive cyber-security strategy to help mitigate the risk of this and other such vulnerabilities.
What is it?
The main cyber-security authorities: CERT (USA) and NCSC (UK) recommend applying all applicable patches for all affected software. However, given the nature of our industry, caution should be taken.
All patches should be applied to a test system before being applied to any production system and supplier advice should be followed. SolutionsPT also strongly recommends that customers ensure that they have sufficient backup & recovery procedures in place before making any changes.
Once patches have been applied, it is unclear exactly how significant the impact will be on the software applications that our customers run. Again, SolutionsPT recommends to test the performance of individual applications on a test system first to gauge the impact, if any.
Since code has to be running on a machine in order to exploit this vulnerability, consideration of this additional risk should be made within an overall cyber security risk assessment and strategy. This will reveal the requirement for extra security measures.
Advice for customers using Schneider Electric software (Wonderware/Citect)
Latest advice: Schneider Electric are aware of the situation and are actively monitoring the situation to understand the full impact of this vulnerability. Schneider Electric advises caution if customers wish to install any patches provided by other vendors (i.e. Microsoft). Such patches should be applied to a test system and monitored thoroughly first before applying them to a production system.
IMPORTANT: Customers running the Wonderware Historian software SHOULD NOT apply the Microsoft patch. Issues have been found with the Historian System Driver. See tech Alert 287 (attached) or here: https://softwaresupportsp.schneider-electric.com/Pages/OKMArticleResult.aspx?docId=TA287 (customer account required) for more information.
Further information: Please read the two PDF documents - 'important security notification' and 'Tech Alert TA287' or view the information here: https://www.schneider-electric.com/en/download/document/SEVD-2018-005-01/
Customers are further advised to regularly check the Security Central portal: https://softwaresupportsp.schneider-electric.com/Pages/securitycentral.aspx (customer account required).
Advice for customers using ThinManager software
Latest advice: ThinManager are aware of the vulnerability announcements but have not yet released official comments on the subject. As ThinManager is abstract from the hardware layer, we advise to take the appropriate remedial action as recommended by the hardware vendor and we would advise that any such patches should be applied to a test system and monitored thoroughly first before applying them to a production system.
Advice for customers using the Proteus Vaults (Datto)
Latest advice: Datto are aware of the vulnerability and are awaiting a patch from the Operating System vendor (Ubuntu). Once this has been released, Datto will expedite internal testing to ensure that customer’s Proteus vaults are updated as soon as practically possible. We are awaiting further communication from the hardware manufacturer as to the proposed update plan, and how we stage and perform the updates for the fastest and least disruptive installation.
Datto statement: https://www.datto.com/partner-meltdown-security-update Customers are advised to check the SolutionsPT website regularly for the latest information and advice.
Advice for customers using the Axelia monitoring service (AVG)
Latest advice: AVG are aware of the vulnerability and currently investigating any possible impact this will have with their platform. Once this has been reviewed with SolutionsPT, we will create a staged plan to apply any updates and patches necessary for the fastest and least disruptive installation. For the latest information, please check the SolutionsPT website (see Further Information section).
Customers are advised to check the SolutionsPT website regularly for the latest information and advice.
Advice for customers using Advantech hardware
Latest advice: Advantech are aware of the situation and are actively monitoring the situation to understand the full impact of this vulnerability. For Intel recent security vulnerability as well as the hyper threading issue officially announced recently, Advantech have validated new BIOS for ASMB-585/785 series motherboards. Intel AMT issue has also been fixed along with the latest BIOS release for ASMB-585/785/584/784
Further information: Customers are further advised to regularly check the central Intel security pages for additional information: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr
Also please read the product security bulletin.
Advice for customers using Stratus FT Server hardware
Latest advice: Stratus customers must only use Stratus approved and provided patches. Stratus customers must not directly apply any third-party patches (I.e. Windows patches via Windows Update). This is to ensure that all patches are fully qualified and tested before being applied. Stratus is currently working with its vendors to identify and qualify all necessary fixes and create the required Stratus patches. Stratus Global Customer Support will provide updates to customers who hold a valid support contract, via email. These emails will be sent out weekly every Wednesday starting 10th January.
Read the alert statement here. Customers should also check the Stratus customer support portal: https://www.stratus.com/services-support/customer-support/ (customer account required)
Advice for customers using the VMware Hypervisor
Latest advice: Patches have been created for VMware vSphere ESXi 5.5, 6.0 & 6.5 and some versions of Workstation. VMware recommend patching affected versions.
Advice for customers running Microsoft Windows Operating Systems
Latest Advice: Patches have been created for some supported versions of Windows. Windows Server 2012 & 2008 (not the R2 versions) currently do not have an available patch. Microsoft is working with the chip manufactures to create a patch for these versions. The patches were released 3rd January and will be pushed out via Automatic Update or they can be downloaded via the Microsoft support site. As expected, only supported Microsoft Operating Systems will be patched. Legacy Operating Systems will not get the patch and remain at risk.
IMPORTANT NOTE: Issues have been detected with the Microsoft patches and certain Anti-Virus vendors. As such, the patch will not be listed in the Automatic Update list until a registry key has been set to a specific value. Customers can either update their Anti-Virus software which should resolve this issue, or by manually setting the required key – see this website for more information: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software
In some cases, not setting this registry key has caused machines to not boot correctly or show Blue Screen Of Death (BSOD) messages.
In addition, people have reported that machines running AMD Athlon CPU’s might be incompatible with the Microsoft patches: https://securityaffairs.co/wordpress/67498/hacking/microsoft-kb4056892-bricks-athlon-pcs.html and: https://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/
See here for more information on the patches available: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
Advice for customers running on legacy Operating Systems
Customers running a legacy Windows Operating System (or Windows Server 2012/2008) should take appropriate steps to mitigate the risk to their system as much as possible. If the legacy OS is running in a virtual machine, it is recommended to apply the appropriate patches to the Hypervisor. In any case, customers should follow standard cyber-security practices to reduce the risk.
For more information, contact us on 0161 495 4640 or visit wonderware.co.uk/tech-support.