Patrick Coyle correctly takes WAGO to task for providing the remediation advice of disabling EtherNet/IP and the web interface if not used. They didn’t fix the vulnerability, and it took them five months to put out this advice? Actually, ICS-CERT put out that advice. WAGO released “a customer cybersecurity notification on best security practices” that is defense-in-depth, change defaults, turn off what you don’t need … basic advice. They avoid addressing the identified vulnerabilities.
The Washington Post reported that Flame was developed and deployed by the US and Israeli governments, along with Stuxnet and Duqu, to slow Iranian nuclear weapon development. This was suspected due to the sophisticated collision attack and the common code with Stuxnet. It still is troubling that this reporting of what everyone thinks happened is attributed only to “several U.S. and Western officials who spoke on the condition of anonymity”. There is nothing new in the article except for the claim of attribution. Any reporter could have written this without anything beyond speculation from a few DC sources. At least Confront and Conceal had detailed conversations, code names and events. The attribution is likely correct, but it is hard to trust the story given no evidence or statements on the record.
Interesting irony that the exploit framework Metasploit had a vulnerability. Rapid 7 disclosed it and quickly issued a security patch. It’s really not that hard to figure out if you are a vendor. Have a strong security development lifecycle (SDL) and fix problems when they arise.
Tweet of the Week
Worth Reading Articles
- Eric Byre’s Securing SCADA Systems From APTs like Flame and Stuxnet, Part II
- Bruce Schneier’s The Vulnerability Market and The Future of Security
Critical Intelligence’s ICS Security Event Calendar Updates
- OPC Technology Summit DHS Speaker Keynote, Oct 16-18 in Orlando, Florida
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by just some dust