Otorio, a provider of OT security and digital risk management solutions, released an open-source tool designed for hardening the security of GE Digital’s CIMPLICITY, one of the most commonly used HMI/SCADA systems.
About GE Digital and CIMPLICITY
GE Digital is a leading provider of industrial software solutions and IoT services. As such, their systems can be found in almost every industry. CIMPLICITY is a well-known HMI/SCADA system with a well-established track record. This scalable automation platform provides visualization and control for industrial systems of various sizes and architectures. Where installed, CIMPLICITY is the key component that controls and monitors the operations in the manufacturing environment.
GE Digital invests a lot of effort into the security of CIMPLICITY and its deployment guides. However, making complicated systems secure is not an easy task. In a complex industrial environment, there are many connections and data flows between different layers of the factory. Hence, automating parts of the process and adding one more layer of verification can significantly improve a company’s security posture.
About the newly released tool
Over the past several months, Otorio’s researchers worked closely with GE Digital engineers to deliver a first of its kind open-source tool designed to identify GE CIMPLICITY misconfigurations.
The GE CIMPLICITY Hardening Tool verifies the security configuration of different CIMPLICITY components and helps operational teams ensure that the highest security standards are maintained. As an example, the tool checks for proper configuration of IPsec, which ensures secure communication between the different CIMPLICITY components.
“The tool is simple to use and requires no cyber expertise,” noted Yuval Ardon, Security Researcher at Otorio.
“Cybersecurity experts are seldom present on the production floor. Therefore, we designed the tool with the system integrators who install these systems and OT security personnel within the plants as its primary users. The tool is as simple as a ‘double click’ of a PowerShell script, making it easy to run even for non-technical personnel.”
The company made sure to point out, though, that this new tool does not address all the possible misconfigurations or checks all of the security flaws that may arise in CIMPLICITY environments (like network segmentation of the network, for example).
GE Digital’s model assigns responsibility and liability to the buyer or user (see Disclaimer of Warranties and Liability in the secure deployment guide), yet the company is committed to continued collaboration on security. Otorio believes that this tool provides an effective way to verify the control servers themselves and is definitely a good starting point.
This marks the second open-source tool released by Otorio as part of the company’s ongoing commitment to empower industrial organizations’ security teams worldwide: in December 2020, the company released an open-source hardening tool for Siemens’ PCS 7 control systems.
“We would like to thank GE Digital for their cooperation and feedback on the tool. We hope that more automation vendors will follow their example and join us to take an active role in securing their systems,” Ardon concluded.