NextGov reports the US National Highway Safety Traffic Safety Administration plans to ”‘conduct rule-making ready research to establish electronic requirements for vehicle control systems’ in everyday cars. The budget proposes establishing a $10 million program to study cyber risks, starting in 2013.”
Four researchers published a paper showing how a virtual machine could steal crypto-keys from another virtual machine on the same physical server. Ars Technica has an easier to understand article, but this is an example why you don’t put VMs in different security zones on the same physical server — or use the same switch for VLANs on different security zones.
DHS has published many of the ICSJWG Fall Meeting presentations. The presentation I wanted to see based on Michael’s review, ICS Challenges in Naval Surface Combatants, was not posted yet. Still need to go through the others for gems.
HD Moore wrote four Metasploit modules for Digi equipment, including the Ethernet-to-Serial Gateways. You will see Digi Gateways in many ICS for converting control room Ethernet to field and plant floor serial comms.
The US Senate couldn’t get the 60 votes to move forward with the Cybersecurity Act (S.3414). The defeat was largely symbolic as it wouldn’t have gone anywhere in the House. Still it was a bit odd that Senate Majority Leader Reid did not allow any amendments, which almost guaranteed it would fail.
The Wall Street Journal gave Idaho National Labs a huge plug with Top U.S. Cyber Defenders Work In Idaho Falls. INL does have talent; we never disputed that. The use of that talent and the impact it is making on securing the US critical infrastructure is the issue.
Pot-Kettle-Black. 58% of the US Dept of Energy desktop computers were missing security patches. “Also, 41 network servers were running operating systems no longer supported by their developers.” Feeling the CIP pain.
Tweet of the Week
Worth Reading Articles
- Digital Crazy Town’s Here Comes The Cybersecurity Executive Order With Its Insane Deadlines < DP Note – aggressive timelines are good, but this does seem to almost insure failure
- Patrick Coyle’s Cybersecurity Legislation in the Lame Duck Session
Critical Intelligence’s ICS Security Event Calendar Updates
- DHS Advanced (Red/Blue) ICS Security Training, Feb 11-15 in Idaho Falls, Idaho
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by takomabibelot