Friday News & Notes

ICS Security NewsICS released Version 3.0 of The Roadmap To Secure Control Systems in The Transportation Sector. It’s a good primer to transportation sector ICS, which surprisingly includes pipelines. Each sector is defined along with a glossary of key terms. The four goals are very basic, but this may be exactly the type of document that most parts of transportation sector needs as they are behind other sectors like electric, oil/gas, chemical and even water.

Automotive control system security is heating up. The Linux Foundation just created the Automotive Grade Linux Workgroup. Their initial focus will be on Linux for the Instrumentation Panel and Infotainment System. On the other side, The Register reported on BMW’s being stolen using On Board Diagnostics bypass tools.

The US Federal Energy Regulatory Commission has created an Office of Energy Infrastructure Security (OEIS). FERC and a cooperative Congress has been promoting the notion that FERC lacks the authority to help secure the electric sector, but FERC hasn’t done much with the authority they have (NERC CIP). Security had been in the FERC Office of Electric Reliability, and I like the idea of security being considered an element of reliability. That said, if this new OEIS helps FERC get a fresh start on cyber security it’s a good move.

NERC has posted their presentation on the major differences and benefits to CIP V5.

There are so many articles and discussions on cyberwar going on that it is hard to track. This week the most amusing was US Pentagon’s Joint Staff saying that Iran was pursuing a covert cyber war on the US. As an American my sympathies lie with the US efforts, but we really can’t cry foul if Iran hits back.

A Sophos anti-virus signature update resulted in false positives this week. These rare occurrences are sometimes used as rationale to not update AV. Instead split AV updates into two groups (splitting redundant systems) and stagger updates, and perhaps consider having a delay between download and update.

Tweet of the Week

[blackbirdpie id="248479445030166528"]

Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.


Worth Reading Articles

Critical Intelligence’s ICS Security Event Calendar Updates

Thanks to Stephan Beirer of GAI NetConsult for updating the events in Germany.

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by bixentro

6 comments to Friday News & Notes

  • Sihoko

    Issues with AV are not so rare as suggested, when tested more issues arise. On average a couple a year. Such as memory leakages, reboot issues, functional issues with the scan engine … This is why several vendors today test these DAT files (though tests are also limited).

    Additionally you are only a digital signature a way from infecting your ICS with malware, and we have seen how Microsoft WSUS distribution was used to deliver Flame, signatures are not of much value nowadays. AV dat files contain much more than simple byte sequences, and can be considered a single point of failure even with staggered roll out.

    So several dangers, but no good alternatives.

  • Bryan Owen

    Risk-reward for AV deployment within critical infrstrastructure sectors seems dubious at best.

    Heresy but perhaps it’s time to retreat from AV as a front line preventative defense. No accident CIPv5 attempts to open the door to alternatives like whitelisting.

    However AV seems to have found its niche in gathering data that drives forensic analysis and global security intelligence assessment.

  • Sihoko

    AWL without AV is worse, conficker virus is still frequently seen. Tests showed AWL didn’t stop conficker.

  • Dale Peterson

    Bryan – I wish you had been at S4 2012. The Great Debate topic was specifically on whether anti-virus is still a worthwhile security control in ICS. I pushed and prodded but couldn’t get anyone to agree that we are at the time where it is no longer an automatic must-have security control in ICS. I think AV will be around longer than warranted simply because the career downside is too great if it is not used. You can see the video here: http://vimeopro.com/s42012/s4-2012/video/36910405

    Our spear phishing experience only heightened my AV skepticism. None of the major AV vendors detected the malware.

    Dale Peterson
    Digital Bond, Inc.

  • Sihoko

    AV is also often made ineffective in ICS because of performance limitations. A well known example in ICS rnvironments is the disabling of the Buffer Overflow protection advised by multiple vendors. This check requires the emulator function of the AC engine, which has a significant impact calling up displays on operator stations. Good for performance, but questionable when it comes to security.

  • Bryan Owen

    AV does not scale. Not just zero day issue and signature updates, consider too giant files that frequently update (eg. Historian archives, SQL data stores, Virtual hard drives)

    There are redeeminig features but prevention is no longer one of them.

    Other recent mentions of AV shortfall:
    http://www.tofinosecurity.com/blog/shamoon-malware-and-scada-security-%E2%80%93-what-are-impacts
    http://insecurity.honeywellprocess.com

Leave a Reply