HD Moore and Rapid7 highlighted security issues related to serial port servers, aka terminal servers in the ICS world. They found a large number that were Internet accessible and highlighted some vulnerabilities that have published Metasploit modules. Paul Roberts captured my thoughts in an article at Security Ledger. Slide 19 of HD’s presentation shows another example of the component vulnerability, similar to CoDeSys, problem in ICS. He names about 40 vendors that use the Digi Development kit.
Wurldtech announced that the DeltaV group at Emerson achieved the Achilles Practices Certification, which is based on the WIB standard. This is a testament to the power of procurement. Essentially Shell procurement requirements related to vendor security programs were provided to WIB, turned into a Wurldtech certification and became a requirement by Shell and others in oil/gas. Most of the big vendors in oil/gas DCS want this business and get certified. The WIB standard has been submitted to IEC, but it has a rough political road from ISA99, other IEC efforts and other issues.
Joel Langill highlighted the latest SCADA+ Exploit Pack from Russian company GLEG. It includes three new exploit modules for Schneider systems and one new exploit module for GE’s Proficy/Cimplicity.
Billy Rios and Terry McCorkle are teaching ICS For Pentesters at Black Hat in Vegas this July. At ~$2,500 it is pricey for two-day training, but I can tell you from seeing them first hand at S4 Training that these guys know their stuff and have a well prepared course.
A minor kerfuffle this week up in Canada regarding the cyber attack on Telvent. Some in the government were upset that Telvent did not notify Canadian Cyber Incident Response Center (CCIRC). In the end the fact that Telvent contacted customers was viewed as the most important fact. In our experience CIRTs/CERTs are only information conduits at this point, adding little analysis or value. Telvent didn’t need help getting information to their clients.
Progress is slow in rail cyber security, but there has been some progress. Dave Teumim and Leigh Weber will teach a course on the American Public Transportation Association’s (APTA) Recommended Practice (Part 2 Securing Control and Communications in Rail Transit Environments). And it’s free in Philadelphia on June 5th.
Landis & Gyr has joined the French SOGRID effort. “The overall ambition of SOGRID is to set an international standard in communication based on the power line communication protocol (PLC), which allows the transmission of digital data over the grid. This means transitioning from a few “smart” elements in the grid towards a total ‘smart grid’.”
Tweet of the Week
None last week so two this week.
Worth Reading Articles
- Electrical Engineering Portal’s Three Generations of SCADA System Architectures
Critical Intelligence’s ICS Security Event Calendar Updates
- BSides Presentation SCADA/ICS Insecurities of Drinking Water Utilities, May 18 in Boston, Massachusetts
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by mag3737