Project Basecamp tools was a big story, but we have covered that thoroughly on this site.
The other big stories, at least in the US, are happening in Washington DC. The Senate Cybersecurity Act of 2012 came was introduced by a bipartisan group of Senators. Homeland Security Television has a great, one-page at a glance summary. You can watch the Senate Testimony here. From CNN’s summary: “private companies that control such “critical infrastructures” would be identified the Department of Homeland Security and each individual company would be required to secure their own networks from cyberattack, and then “self-certify” in an effort to show the U.S. government it had complied. DHS would have the opportunity to spot check companies, and failure to secure could lead to civilian penalties.”
Not so fast though, Senator McCain and seven other senators plan to introduce a competing bill that gives NSA the power to work domestically for the first time to stop cybersecurity threats. Sen. McCain also questioned providing additional power and responsibilities to DHS and the burden on the private sector of these regulations … so maybe it is not a done deal.
President Obama also released a proposed budget for next year that provided some clues. Patrick Coyle dug into the details and found on page 2118 of the budget rationale that ICS-CERT would increase from 9 to 12 full time employees in this budget. Other than small details like that, the budget related to ICS security remained about flat.
Dutch researchers showed how water control systems in the Netherlands could be hacked and maliciously operated to flood the Netherlands with water and wastewater. It sounded a lot like the Australian wastewater hack until you release how important water control is to the large areas that are below sea level. The impact of an ICS attack here would be huge.
Joel Langill joined the growing number of ICS security training options in announcing his new 5-day training course Understanding and Securing Industrial Control Systems. He also announced a 1-day introductory course. Joel is the former Infosec Institute teacher so it will be interesting to see who takes over that class. Now with a full field of private sector courses will DHS/INL finally admit they are competing with industry, which they are prohibited from doing, and stop their basic and intermediate training?
Travis Goodspeed has been wardriving around Knoxville, Tennessee looking for Zigbee, 802.15.4 access points with his mobile kit. He took some pictures that are worth a look. 802.15.4 is the basis of many DCS wireless systems including WirelessHART and ISA100, although those protocols do add security at layer 3.
Tweet of the Week
Worth Reading Articles
- Two articles on our Feb 14 release of Project Basecamp tools: Paul Roberts of Threatpost’s Bloody Valentine and ICS-CERT’s related alert.
- CNN article: Senators Spar Over Cybersecurity
- EET Article: Best Practices – Improving Embedded Operating System Security DP Note – This is from the Wind River / VxWorks people so very applicable to the ICS space.
- Tenable Blog on integrating Nessus results with Metasploit: Nessus 5 Making My Pentesting Easier
Critical Intelligence’s ICS Security Event Calendar Updates
- Western Power Delivery Automation Conference Security Presentations, Mar 29 – 30 in Spokane, Washington
- CERIAS Information Security Symposium SCADA and Security Panel, Apr 3 in W. Lafayette, Indiana
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by Luigi Lombardi