Dale Peterson ICS-CERT issued an Alert based on Terry McCorkle and Billy Rios work on the security of medical devices. Not surprisingly they found hard coded passwords in hundreds of devices. But what action are we to take with this Alert, and what is DHS doing beyond coordinating disclosure? We have seen insecure by design PLC and protocol generate alerts with alarming language, and then months and years pass with no further action. Maybe the FDA will take action and foster change where DHS has failed. (I was going to criticize Billy and Terry for not releasing the details, but it was ICS-CERT that chose this disclosure path). (And ioActive joined the party by disclosing the fact they found hard coded ftp credentials in an ICS product, full stop and weak.)
The third workshop on the US Government Cybersecurity Framework is July 10-12 in San Diego. NIST has published a skeleton of an agenda that does little more than give the beginning and ending times. They will likely provide a more detailed agenda as they did for the second workshop. However if this third workshop is going to make progress they should put out materials in advance for review and comment. And we are halfway to the deadline for the release of the first draft.
Tweet of the Week
There was a problem connecting to Twitter.
Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Nothing this week. Enjoy the weekend.
Nothing New This Week
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by duncan
Dale Peterson 
The ICSJWG Spring Meeting was cancelled, purportedly due to the sequester. ICS-CERT has published the presentations and papers that were submitted for the event on their site. No news yet on a potential fall meeting, but planning should be beginning now if it is going to be a success.
The preliminary agenda for DHS’s Chemical Sector Security Summit, July 10-11 in Baltimore, is now available. Most of the sessions are US Government speakers.
Michael Gross of Vanity Fair has another longish, Vanity Fair style article on cyber war. Not a worth reading from a technical standpoint, but perhaps for the questions you will get from friends and family.
Tweet of the Week
scadafreude, n., Pleasure derived from insecure control systems (and, of course, fixing them) Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by duncan
 
Dale Peterson The official title of Jason Holcomb’s (Lockheed Martin) session was Turning the Tables: Transformation to Intelligence Driven Defense for ICS, but the thrust of his talk is describing how the cyber kill chain can be used in ICS.
The cyber kill chain steps for a targeted attack are Recon, Weaponization, Delivery, Exploit, Installation, C2 and Actions. Jason points out that the saying the attacker only has to be successful once isn’t quite true. A targeted attack has multiple steps, and the defender has a chance to detect, deny, disrupt, … at each step.
Looking at your SCADA or DCS from the cyber kill chain steps is another way of analyzing and selecting security controls. Jason shows an example of this in a different type of defense in depth table at 26:30. The kill chain steps are on the y axis and the defensive action are on the x axis. The table will identify when you are missing controls at different stages of the attack, and it will also identify the types of security you have in place. For example, a system could have strong deny or disrupt protection at one or more kill chain steps, but lack any detection.
Dale Peterson  Today we open the S4x14 call for papers / presentations. Send us your brilliant ICS security research for inclusion in the S4x14 program, January 15-16 in sunny Miami Beach. S4 is the one event where presenters can get into technical detail and be understood by an amazing audience. There is no SCADASEC 101 or ITSEC 101.
It’s very simple to submit. Just send an email with your topic, brief description and time needed (30 minutes is standard) to s4@digitalbond.com. If you know of research that we should chase for S4x14, please send us an email as well.
Your session should have some technical meat or a novel idea, or better yet both. Take a look at the S4x13 or S4x12 session videos to get an idea of what we are looking for. I think the definitive S4 presentation was Ralph Langner’s Stuxnet Deep Dive.
Early submission increase your chance for presenting at S4x14.
Our sole goal is to put together the best S4x14 agenda. The process is not a blind, peer reviewed process that waits until the end of the CFP date. Send us your idea, and we will give you immediate feedback. Sometimes we suggest a modification. Sometimes we pair the researcher with another researcher of vendor. If we like the session topic, we will tell you that you are in immediately.
——–
Two other side notes:
- We are also looking for advanced training topics and instructors for the Tuesday and Friday. Last year we had Luigi Auriemma, atlas 0f d00m, Travis Goodspeed and Rios/McCorkle teaching.
- We are working on special one-day events for Tuesday and Friday that should be novel and important for the ICS community. These will be announced in early July.
Dale Peterson  NIST held the second workshop on the US Cybersecurity Framework this week in Pittsburgh, and the main session was viewable on the Internet. You can view the tweets at #nistcsf, and Cynthia Brumfield has published her thoughts on the workshop. The next workshop is in San Diego.
ISA published a Cybersecurity Brochure that covers there activities. It describes the ISA99 standards efforts (a bit light on this I thought), training, books and the certification effort through ISCI.
Missed from last week, Cylance partnered with building construction and operation company McKenneys, Inc. This is likely a follow on from the Rios/McCorkle hack on the Tridium BAS and is a non-traditional partnership for a security firm. A sign of things to come?
SANS has started a new series they call the ICS Security Vendor Briefing. The first one is available at the SANS event in Houston on June 10th and includes and are sponsored by Waterfall, Cylance and Codenomicon. SANS limits the commercialism of the vendor sponsored presentations, but don’t let the non-profit angle fool you. These are paid vendor pitches to the SANS audience.
Tweet of the Week
We get the InfoSec we deserve… so; what are you going to do about it? I'm ready to help shake it up. #SecChat Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by mag3737
Dale Peterson Michael Toecker’s session at S4x13 focused on two things.
- How secure are the applications that engineers use to configure relays in the electric grid? Prominent examples are GE’s Enervista and SEL’s AcSELerator
- Is Microsoft’s Attack Surface Analyzer a useful tool to analyze this electric power software?
These configuration relay applications can be great attack vectors. They are installed on engineering laptops that often connect to a variety of networks, ICS, corporate, even the Internet. Mike shows a real world example of an engineering laptop with Skype and other interesting apps.
The Attack Surface Analyzer found a lot of useful data … unsigned code, no DEP or ASLR on 75% of the software, installed software (including exe’s and dll’s) in world writeable directories, and more. ICS vendors could definitely benefit from using this tool. Owner/operators can use this to get some idea of the quality of a vendor’s SDL.
Dale Peterson Jacob Kitchel of Industrial Defender selected the interesting title of Am I Compromised? for his S4x13 session. However, the bulk of the session is different approaches to applying whitelisting to ICS components including:
- vulnerability-based approach
- whitelist them all
- sort and then whitelist (learning mode)
- establishing a clean and trusted system
Jacob looks at the challenges of knowing when you have a ‘clean’ system. It’s hard enough with a newly deployed system, but how to owner/operators know if their deployed system is clean.
Dale Peterson  Want to learn how Ruben Santamarta found the TURCK backdoor disclosed last week by ICS-CERT? Read his article on Identify Back Doors in Firmware By Using Automatic String Analysis. He pulls out the strings from firmware and then uses a tool he wrote called Stringfighter to identify likely hard coded credentials. Ruben we want you at S4x14.
A research report from Zpryme breaks down the $8 billion the US Government allocated to smart grid projects as part of the 2009 recovery act. $5.1B has been spent so far and $3.2B (63%) was spent on smart meters. The industry won’t see this market stimulating money again. The smart grid budget for 2014 looks to be $450M with most going to R&D rather than subsidizing meter purchases.
US Congressmen Markey and Waxman release a report they ‘wrote’ entitled Electric Grid Vulnerability – Industry Responses Reveal Security Gaps. The best part of the report is Table 1 on page 14. Key findings, such as utilities are under cyber attack, like every other company connected to the Internet, aren’t helpful. This mainly is a document to support past legislation that is being reintroduced.
May 28th is a big day in Japanese ICS Security as the government’s Control System Security Center (CSSC) will celebrate the opening of the ICS testbed in Tagajo. I haven’t visited the site yet, which is located close to Sendai and where the deadly tsunami hit, but the pictures show a truly first class facility for research and training.
ISA99 has released a draft of TR62443-2-2 Patch Management in the IACS Environment to help owner/operators develop a patch management program. They are looking for comments.
I generally avoid commenting on industry quotes in articles, but the Register article on respected expert Mark Fabro’s AUSCERT presentation is disturbing. It is not difficult to cause serious damage to the critical infrastructure by attacking an ICS. In fact, we had too many presentations at S4x13 showing how in simple ways that we are going to likely reject the simple attack sessions for S4x14. It certainly doesn’t require clearing 143K hurdles, and small team of 1-3 people with moderate skills and motive and a willingness to suffer the consequences of retribution can do significant damage. Perhaps the author didn’t accurately capture Mark’s viewpoint or maybe he was only talking about the difficulty of causing a nationwide blackout rather than just damage to a portion of the bulk electric system or other critical infrastructure.
Tweet of the Week
Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by ChrisInPlymouth
Dale Peterson Eric Johansson from Management Doctors in Sweden brought over a great Siemens S7 demo rack to demonstrate some attacks on the Siemens S7 PLC family.
At 7:45 Erik shows the Level 3 (highest security that controls read/write access) can be recovered by capturing the packets sent to the PLC. This was actually known and included in Siemens documentation (July 2011) as a potential weakness — with advice to not let the bad guys on your network.
At 14:13 Erik shows a denial of service attack on the Siemens equipment he brought to S4x13. It requires a power cycle and administrator action to put the PLC back into Run mode.
The Q&A at 18:19 is quite interesting.
Arne Vidstrom of FOI was part of the team that did this work.
Dale Peterson  Odd and troubling week.
DHS Secretary Napolitano announced Enhanced Cybersecurity Services — the US Government will share information on 0days and threats via a paid service offered by private government contractors like AT&T, Raytheon and Northrup Grumman. This would even include 0days purchased from researchers. Does this make or break the 0day market? How does this compare to a bug bounty? this is so odd it’s hard to even come up with a cogent argument for or against your tax dollars at work.
The US NIST published a document analyzing the request for information (RFI) responses to the upcoming cybersecurity framework. Respondents think it should be flexible, global, risk-based and leverage existing standards. Ok …
NIST issued Revision 1 of SP800-82 Guide to ICS Security. More importantly they announced an effort for a major update of this document to Revision 2 in the next year.
The NY Times and most other major media vaguely reported on cyber attacks on energy sector companies with the goal of sabotage or control of the ICS. The information is based on a non-public bulletin from ICS-CERT.
Anonymous announced Operation Petrol will start on June 20th against “greedy oil companies” and governments that support them.
The US Security and Exchanges Commission (SEC) reported that the 27 largest public companies sustained no major financial losses due to cyber attacks.
Tweet of the Week
the same public that says the #nist cyber security framework should be "risk based" says "baseball should include baseballs" #nistcsf #eo Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by ChrisInPlymouth
|
Subscribe:  
Schneider Has Not Removed Modicon FTP Backdoor Account In
2378 days
Worth Reading
The connection to twitter has returned an error. Please try again later.
|
