Industrial cybersecurity firm OTORIO this week announced the availability of a new open source tool designed to help organizations secure their GE CIMPLICITY systems.
GE Digital’s CIMPLICITY is a highly popular human-machine interface (HMI) and supervisory control and data acquisition (SCADA) product that the company says is used by some of the world’s largest organizations.
OTORIO has worked with GE Digital to develop a free and open source tool that can be used to harden CIMPLICITY systems by ensuring that they are configured in accordance with the vendor’s guidelines for security best practices.
The tool is a PowerShell script and it has been tested on systems running Windows 7, 10, Server 2008 R2, Server 2012 R2 and Server 2016. It’s designed to collect data from the Windows registry, Windows Management Instrumentation (WMI), security policies, Netstat, DirList, and the Net and Netsh commands.
The CYMPLICITY hardening tool checks the system to ensure that passwords need to be long and complex and are not stored in clear text, that accounts are protected against brute-force attacks, that users who don’t need them don’t have elevated privileges, that unnecessary ports are not open, that shared resources are protected, that only admins have debugging privileges, that communications are encrypted, that CIMPLICITY files are not exposed, and that RDP does not expose the system to remote attacks.
“The new tool designed by OTORIO is simple to use and requires no cyber expertise. Cybersecurity experts are seldom present on the production floor. Therefore, we designed the tool with the system integrators who install these systems and OT security personnel within the plants as its primary users. The tool is as simple as a ‘double click’ of a PowerShell script, making it easy to run even for non-technical personnel,” said Yuval Ardon, one of the OTORIO researchers involved in the development of the tool.
This is the second open source ICS security tool released by OTORIO. In December, the company announced the availability of a tool designed to help organizations harden Siemens SIMATIC PCS 7 distributed control systems (DCS).
When it released the tool for the Siemens DCS, OTORIO told SecurityWeek that, when trying to secure an environment, it’s more cost effective to start with server configurations.
It’s worth pointing out that both the Siemens and GE tools inform customers about identified issues, but are not designed to automatically address them.