【重要辟谣】--关于网上CODESYS安全漏洞的澄清和说明
High Security standards for CODESYSCODESYS的高安全标准
Kempten, January 2018:Recently found and reported vulnerabilities in CODESYS have been known andfixed for years. 来自CODESYS总部,肯普滕,2018年1月:最近在网络中流行的CODESYS中发现和报告的漏洞为多年前已知并已修复的问题。
Thanks to the comprehensive capabilities of the leading IEC 61131-3 system CODESYS, the tool is used in many industrial controls from different manufacturers worldwide. The system is also popular in China.CODESYS是全球领先的控制系统以及自动化行业软件开发工具,它符合IEC61131-3标准,性能卓越,在全世界很多不同制造商的工业控制中得以应用。该软件在中国也应用广泛。
Recently, Security researchers have pointed out Security vulnerabilities in CODESYS and published them in a defamatory way in Chinese media. The researchers stated that by exploiting these vulnerabilities, controllers programmable with CODESYS V2.3could be deliberately brought to a crash, or their data accessed without authorization. 最近,有非官方人员指出CODESYS中存在安全漏洞,并用诽谤性的方式发布在中国的部分媒体上。这些报道声称,利用这些漏洞,可蓄意使CODESYSV2.3(2.3版本)开发的可编程的控制器崩溃,或者未经授权访问这些控制器的数据。
3S-Smart Software Solutions as a manufacturer of CODESYS has thoroughly examined the factual content of these reports. It turned out that the mentioned vulnerabilities are no longer relevant. They were detected in 2012 and 2016 and fixed immediately. Updated versions of the CODESYS Control runtime system were delivered to the device manufacturers - along with the urgent recommendation to integrate these Security updates into the affected devices as soon as possible. 作为CODESYS的制造商,德国3S软件有限公司仔细检查了这些报道的实际内容,并发现其所提及的漏洞早已没有意义了。因为,早在2012年和2016年,公司就已查出这些漏洞,并在查出后立即进行修复且修复完成。德国3S软件有限公司也早已将CODESYS Control运行实时系统的更新版本提交给了各设备制造商,并紧急告知他们将这些安全更新集成到受漏洞影响的设备中。
The integration of theruntime system is the responsibility of the respective device manufacturers andcannot be carried out by 3S-Smart Software Solutions. Moreover, all users ofautomation devices should strictly adhere to the usual Security recommendationsat all times. More specifically, available Security updates are to beimplemented immediately, any relevant warnings are to be observed. The CODESYSSecurity White Paper summarizes important notes and can be downloaded from the3S-Smart Software Solutions website.但需强调的是,运行实时系统的集成是各个设备制造商的责任,3S软件有限公司是无法代替它们实施的。而且,我们提醒:所有自动化设备的用户都必须时刻遵守正常安全建议。更具体地说,已提供的安全更新和补丁必须立即应用,任何相关的警告必须得到重视。CODESYS安全白皮书总结了重要的事项,可以从德国3S软件有限公司网站上下载。(点击文章下方阅读原文可下载CODESYS安全白皮书)或尽快联系中国3S团队 sales@codesys.cn
3S-Smart Software Solutions takes all aspects of CODESYS Security very seriously and has introduced processes and procedures that have already proven successful in the world of IT software. This includes numerous Security features in the current generation of the CODESYS V3 software, such as user administration at various levels,encryption/signing of data and communication via dongle or with proven technologies such as TLS or X. 509 certificates. CODESYS users can thus, for example, secure production processes based on the same technologies that have become standard in online banking. In addition, 3S-Smart Software Solutions has established transparent processes for publishing and resolving Security vulnerabilities: Security advisories are publicly accessible on our company's website. The corresponding Security patches can be downloaded from the CODESYSStore. For years, the company has been cooperating with relevant authoritiessuch as ICS-CERT (USA) or BSi (Germany) in the case of newly foundvulnerabilities.3S软件有限公司对CODESYS安全的方方面面都非常重视,并引入了IT软件界成功的流程和程序。在新一代CODESYSV3(第3版本)软件中,引入了大量安全特性,比如从各个级别对用户的管理,数据加密/数据签名,以及用加密狗或者像TLS(安全传输层协议)或X.509证书这样的成熟技术进行通讯。举个例子,因为有了这些安全特性,CODESYS的用户就可以保证他们生产流程的安全,而用到的这些技术正是大家所熟知的,已经成为网上银行标准的信息安全技术。此外,3S软件有限公司已经建立了发布和解决安全漏洞的透明流程:安全公告会公开发布在我公司网站上,相应的安全补丁可从CODESYS商店下载。(中国网站将在2018年上半年正式发布,并随着官网更新而更新)。多年来,在发现新漏洞的时候,我们会和ICS-CERT(美国工控系统网络应急响应小组)或者BSi(英国标准协会-德国组织)等相关部门合作解决。
页:
[1]