Bob O’Harrow of the Washington Post continued his cybersecurity series, this time focusing on vulnerabilities in Honeywell’s Tridium that is used in a large number of building management systems, including many directly connected to the Internet. Billy Rios and Terry McCorkle found a directory traversal vuln, downloaded the password hashes and were able to get login credentials. Billy’s interest was peaked “as he drank beers and smoked a cigar on a veranda at a conference center in Miami” at S4. Like most good events, a lot of the best stuff happens outside the presentation rooms.
Patrick Coyle reports that the schedule for HR 3674, PRECISE, “has killed the bill for possible consideration until after the election in November and probably for the remainder of the Session.” If I understand him correctly this means there will be no significant cyber security legislation this year. Considering the quality of the draft legislation, it really is no loss for the ICS security community.
GE announced the ProficySCADA app for iPad. (Download the app, it’s free. Enter the Proficy IP address and your credentials. “It supports the same full featured capabilities of a standard client by delivering full HMI/SCADA functionality including third-party application support with no screen conversions required.” Unlike many in the community, I don’t recoil in horror at making data available to the iPad or smart phone. As long as it is view only data and there is no control capability, the only concern is the confidentiality of the data. In fact clients have asked us if “if it is ok”. We answer that it can be done without risking the integrity or availability of the ICS, but you Mr. Client know what the risk is if this data is disclosed. Of course, there is a risk it will be deployed poorly and insecurely, but that risk is there with most deployments.
NIST released AMI Smart Meter Upgradability Test Framework document. No chance to read it this week and would welcome a guest post from someone involved in smart grid standards work.
Innominate announced a new product in their mGuard security line. The mGuard PCI and PCIE are firewall and VPN’s on a card for PCI and PCI Express slots, respectively. There is a version that supports a SD card for the configuration memory. The VPN is compatible with the more industrial form factor versions of the product. No pricing was provided.
The Director of NSA made some big, unsupported statements about the cost of cybercrime, such as “In my opinion, it’s the greatest transfer of wealth in history.” He also pulled out some very large numbers for the cost of IP theft and other cyber crime. At the recent WEIS conference, Dr. Ross Anderson and other researchers wrote a paper trying to come up with a supportable number (particularly noting the flawed logic in IP theft numbers.) It’s much less. One other note on the comments, does it really make sense to spend $1 trillion to prevent $388 billion of cybercrime, if you believe the Director’s numbers?
DHS announced the fall meeting of the ICSJWG will be Oct 15-18 in Denver, Colorado. They also had a call for volunteers for a Program Advisory Subcommittee. Great move that harkens back to the successful PCSF conferences. They quickly filled the Subcommittee with volunteers. On the glass half empty side, DHS asked everyone who participates in an ICSJWG Subgroup to fill out a Declaration Regarding Lobbyist Form — lawyers and bureaucracies.
Pike Research, a smart grid market intelligence firm, was acquired by Navigant this week. I have really enjoyed the Pike Research blog because they cover in detail a lot more in smart grid than AMI. They also have issued reports on the smart grid security market. While I haven’t always agreed with their analysis, it was always reasoned and not hysterical like many other market intelligence firms. Hopefully they will be allowed to continue the good work.
Tweet of the Week
Worth Reading Articles
- MISO issued a max generation warning, instructing any extra generation capacity that had been witheld to be released.
- Washington Post article on Tridium’s Niagara Framework vulnerabilities discovered by Billy Rios and Terry McCorkle
Critical Intelligence’s ICS Security Event Calendar Updates
- EnergySec Summit, Sept 25-27 in Portland, Oregon
- DHS ICSJWG Fall Meeting, Oct 15-18 in Denver, Colorado
- DHS/INL Red Team / Blue Team Advanced Training, Nov 5-9 in Idaho Falls, Idaho
- DHS/INL Red Team / Blue Team Advanced Training, Dec 3-7 in Idaho Falls, Idaho
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by zimpenfish