OTPulse
FeedAboutContact

GE Proficy CIMPLICITY-Cleartext

Monitor7.5ICS-CERT ICSA-22-053-02Feb 22, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

GE Proficy CIMPLICITY contains a cleartext communication vulnerability (CWE-319) affecting all versions. An attacker who can access the network can capture session data without authentication, allowing disclosure of sensitive information including credentials and process data.

What this means
What could happen
An attacker on your plant network could intercept unencrypted CIMPLICITY communication sessions and capture credentials or sensitive process data. This could enable follow-on attacks or allow an attacker to monitor operations without detection.
Who's at risk
Energy utilities and industrial facilities operating GE Vernova Proficy CIMPLICITY HMI/SCADA systems are affected. This includes operators of generation, transmission, and distribution control systems that rely on CIMPLICITY for process visualization and data logging.
How it could be exploited
An attacker positioned on the same network segment as CIMPLICITY (via compromised workstation, rogue connection, or if the system is internet-exposed) can passively capture network traffic to CIMPLICITY servers and extract credentials or sensitive session data in plaintext.
Prerequisites
  • Network access to the same segment or path as CIMPLICITY traffic
  • No authentication required; the attacker only needs to observe traffic
  • CIMPLICITY communication must be unencrypted (default configuration)
No patch availableRemotely exploitable if accessible from internet or compromised internal networkNo authentication required for packet captureAffects critical energy sector control systemsDefault insecure configuration
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Proficy CIMPLICITY: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/2
HARDENINGEnable communication encryption on all CIMPLICITY systems according to the Secure Deployment Guide
HARDENINGConfigure IPSec for CIMPLICITY network traffic following the Windows Hardening Guide Appendix A
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGIsolate CIMPLICITY systems behind a firewall and segment from the business network
HARDENINGRestrict network access to CIMPLICITY to only authorized engineering and operations workstations
WORKAROUNDIf remote access is required, implement a VPN and keep it updated to current versions
Long-term hardening
0/1
HOTFIXContact GE to inquire about upgrade to latest available CIMPLICITY version
Mitigations - no patch available
0/1
Proficy CIMPLICITY: All versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor network traffic to and from CIMPLICITY systems for suspicious activity
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/401c77b5-9498-43c5-ac4c-48b4af43be6d
GE Proficy CIMPLICITY-Cleartext | CVSS 7.5 - OTPulse