The Shamoon investigation by Saudi Aramco, aided by the government’s Ministry of Interior, stated “The aim was to stop pumping oil and gas to domestic and international markets”. An article in Al Arabiya goes on to say “The state-owned group which runs all Saudi Arabia’s oil production said at the time that its oil exploration and production were unaffected ‘as they operate on isolated network systems.'” I’m not buying it. I’m sure the networks are isolated, but are also still communicating with corporate network and probably use multipurpose laptops. Are we to believe that Saudi Aramaco is the shining star of ICS security? My guess is the some ICS devices were affected but did not cause a significant impact. For example the PC based HMI’s could have been wiped out, but this would not affect the PLCs which monitor and run the process. The fact that Shamoon was such a crude attack casts doubt on the stated aim in the report or the skill of the attackers. Why not modify the worm to scan for listening ICS protocol ports and brick the PLCs? Equally crude but much more effective at achieving the stated aim. It’s not surprising that the Saudi Aramco and Kingdom’s PR is designed to put the best face on the embarrassing incident.
An FBI Situational Information Report leaked out showing one of the few concrete examples of a control system exploit being used to compromise an Internet connected device. In this case the Rios/McCorkle Tridium vuln was used to compromise an HVAC system in New Jersey. Expect a lot more of this in 2013 as the ICS exploits are automated and ICS devices remain Internet accessible. This is not a prediction of the apocalypse as almost all of these exposed devices are unrelated to critical infrastructure. Like any Internet attack against a known vulnerable system, the company and their customers will be affected. More information on this is available in Paul Roberts Worth Reading Article below.
Two ICS-CERT Advisories this week took very different resolution routes. Subsidiary RuggedCom fixed their hard coded SSH credential problem and other items. Full disclosures seems to have gotten RuggedCom’s attention. However, Seth Bromberger of NCI Security had equally good results going through the coordinated disclosure route. Invensys/Wonderware’s InTouch stored credentials in a reversible format in the Ps_security.ini file. Seth wrote that he has been working the issue for 6 months, and it would be interesting how many hours/days this coordination work entailed.
OSIsoft recently held vCampus Live. Bryan Owen sent me a blurb on the security activities there. “A popular session at vCampus covered security baselines Microsoft’s free Security Compliance Manager as well as security configuration settings for the PI System. The latter is familiar territory in context of Bandolier. The exercises were “under the hood” PI scripts that extract data for the Bandolier PI checks. Bryan also mentioned that users are highly interested in the CVSS score and its meaning on any announced vulnerability / patch.
Tweet of the Week
Worth Reading Articles
- /dev/tty/S0 blog Reverse Engineering Serial Ports
- Paul Roberts FBI Issued Alert over July Attack on HVAC System
Critical Intelligence’s ICS Security Event Calendar Updates
- American Petroleum Institute (API) Cybersecurity Conference and Expo, Nov 12-13 in Houston, Texas
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by bixentro