News

Important notice about our countermeasure for targeted cyber-attack to our software

Last updated: June 19, 2012
Posted: June 11, 2012

Thank you very much for your continuous use of Pro-face products.

As you are aware, cyber security is changing the business climate for control systems. Digital Electronics has become aware of cyber security vulnerabilities in Pro-Server EX and WinGP on PC for HMI GP series. The vulnerabilities can be exposed in the event of a targeted cyber-attack. An attacker would use a masqueraded node that would use a specially crafted packet sent to Pro-Server EX.

We take these issues seriously and have created the following workaround and solution.

Products and Versions Affected

Data Management Software "Pro-Server EX":
Product model: EX-SDV-V1*, PFXEXSDVV13
Applicable version: Pro-Server EX Ver. 1.00.00 to Ver. 1.30.000
 How to check the version: [Help (H)] → [About this program (A)]
HMI Screen Editor & Logic Programming Software “GP-Pro EX” and Related Software, "WinGP":
Product model: EX-WINGP-IPC, EX-WINGP-PCAT
Applicable version: WinGP Ver. 2.00.000 to Ver. 3.01.100
 How to check the version: [Help (H)] → [About this program (A)]
Top Page

Workaround and Solution

The following modules are released.
-> GP-Pro EX (Ver. 3.01.102 to 3.01.203) Update Module

-> Pro-Server EX (Ver. 1.30.100 or later) Update Module

-> WinGP Ver. 3.01.102 Installer

* To download the module, free member registration for “Otasuke Pro!” is required. Click here to register.

We already reported about this matter to ICS-CERT*. We address the issue of the protection from cyber attacks to the users' equipment or control system.

-> The document on the US-CERT website
This link is provided for informational purposes only and does not represent an endorsement by or affiliation with the US-CERT (DHS).

* ICS-CERT(Industrial Control System Cyber Response Team) is an institution which protects control systems from cyber attacks in the United States Department of Homeland Security. In cooperation with US-CERT charged with information security, ICS-CERT treats vulnerability information about control systems, and it offers to support the incidents about control systems of society's infrastructure, lifelines and basic industries in the United States.
Top Page

Mitigation

We recommend customers take defensive measures to minimize the exploitation risk. Specifically, customers should do the following:
  1. Review all network configurations for control system devices.
    - Remove unnecessary PC(s) from control system networks
    - Remove unnecessary applications from control system networks
  2. Minimize network exposure for all control system devices. Control system devices should not have a direct connection to the Internet
  3. Locate control system networks and devices behind firewalls.  Isolate the control system from the business network.
  4. When remote access to a control system is required, employ secure methods, such as Virtual Private Networks (VPNs). However, our customers must recognize that a VPN is only as secure as the connected devices.
Top Page

Contact

If you have any inquiries, please contact our sales office in your region.
For contact information, please refer to the "Inquiry" page.
Top Page