Friday News & Notes

ICS Security News

Sorry for the absence last week, but I was at a SCADA Security Summit up the Wilder Kaiser in the Alps. The best kind of summit with only 1/3 of the talk on ICS security, beautiful scenery and Tyrolean food / German beer in the huts.

The WikiLeaks story on Syria has a SCADA security twist. The Italians  sold Syria a TETRA trunked radio system against their stated policy, but the US had the capability to read the “interception-proof” system. The SCADA security twist – TETRA radio systems are often used in SCADA. This shouldn’t lead asset owners to immediately replace all TETRA radios; they are often used for low value / low impact communication to field sites. Most publicly available radio systems used in SCADA can be intercepted with enough equipment. Inserting or modifying data is more difficult. It’s the difference between having a fast follower or other special purpose receiver and cracking the TRANSEC and/or COMSEC algorithm and recovering the keys. Here is a helpful site if you want to learn more about TETRA security.

EnergySec was hit this week with a spear phishing attack that appears to be, based on the indicators, from the same group that sent email to Digital Bond. It’s great to see another group announce this for awareness and post the email so the community can see what they look like. If they are going after EnergySec and Digital Bond, it seems likely they are going after the more important targets, the companies that run the critical infrastructure and the major ICS vendors. They should be worried if they are not identifying these spear phishing emails.

The Japan Times has a short article on the Information Security Policy Council’s new policy to “protect critical infrastructure from computer-based incursions”. More on this when I’m back in Japan in two weeks.

The emergency sirens went off for about 30-minutes in Evanston, Illinois for no reason. The sirens tones varied from tornado to military emergency, with the later never heard by residents before. Since they can’t find any mechanical reason, it must be a hacker, of course. “sirens are activated by a radio signal containing a unique code, Shaughnessy said. Police suspect someone made a copy of the signal and broadcast it, activating the sirens, he said.”

DHS lost another senior cybersecurity manager, Matt Coose who was the DHS National Cybersecurity Division’s Federal Network Security Branch. Mr. Coose is the seventh senior official to leave in the last year.

With CERN and Higgs boson in the news this week, readers may be curious about CERN’s control systems. Not surprisingly given CERN’s location, it is Siemens based, WinCC / S7′s, as well as Modicon PLC’s.

From last week, a report on wiretaps authorized by US Federal and State Courts had this little gem: “In 2011, encryption was reported during 12 state wiretaps, but did not prevent officials from obtaining the plain text of the communications.”

And finally, for all those that have been asking. I’m very disappointed with the ICS-CERT Incident Summary report on activity from 2009 – 2011. The way that they presented the statistics was almost certain to lead to bad reporting. The vaunted fly away teams performing spear phishing analysis on corporate networks of critical infrastructure networks, really? That’s the focus of ICS-CERT and DHS? It seems like they don’t want to highlight or fix the real, basic security problems in ICS. I just didn’t have the energy to write a long post on their failure to even try again.

Tweet of the Week

[blackbirdpie id="220290944648495105"]

Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.

Worth Reading Articles


Critical Intelligence’s ICS Security Event Calendar Updates

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by milesopie

Leave a Reply