A very full Friday News & Notes plus tweet-of-the-week and Critical Intelligence’s Worth Reading and ICS Calendar Updates.
GLEG’s new Agora SCADA+ pack for the Immunity’s CANVAS exploit framework created a lot of buzz and a purported DDoS attack on GLEG. The list of modules includes 9 labeled as 0days. (HT: @scadahacker) Just from the titles of the modules it appears that the ClearSCADA vulns are the same as we found, reported and have patches issued. This could just be a coincidence, but the Indusoft and others also seem similar to published ICS-CERT bulletins. We will try to confirm.
The ICS Security community can’t say that SCADA and DCS are not connected to the Internet because there are still a few like Longmont Colorado Power and Communications who are kind of enough to share the SCADA main and alarm views as well as substation cameras. (HT: Rubén Santamarta @reversemode) The site does say “Unauthorized use is strictly prohibited”. In their defense, they may be pushing the read-only data out so the SCADA is not actually connected to the Internet, but it is still red meat for the SCADA is connected to the Internet crowd and terrible OPSEC.
ISA99 has a new page with a diagram showing all the work product finished, in process and planned as well as a status table for each. (HT: @BryanLSinger). But … @ISA99Chair tweeted “The committee is considering some changes to how we organize and structure our work products and how they map to IEC 62443.”
FERC responds to the GAO Report on Electric Grid Modernization. One of the main GAO conclusions is that FERC may need and should ask for more authority from Congress. You would think this would be an easy sell at FERC, but as Uncle Ben said “with great power comes great responsibility”. FERC is currently able to deflect most blame for cyber security failures on having to rely on the ERO/NERC or being outside the bulk electric system. Take this convenient, but accurate, duck by FERC in their response:
the “bulk power system” excludes virtually all of the grid facilities in certain large cities such as New York, thus precluding Commission action to mitigate cyber security or other national security threats to reliability that involve such facilities and major population areas. It is also important to note that much of the smart grid equipment will be installed on distribution facilities and will not fall under the Commission’s Federal Power Act jurisdiction.
Beyond the 34 Luigi vulnerabilities described on digitalbond.com this week, we also had two other ICS vulns:
- Rubén Santamarta released a helpful presentation and exploit code for the Advantech/BroadWin WebAccess HMI software. According to his blog entry, he contacted ICS-CERT and the vendor denied there was a vulnerability. So he released it. Rubén was very helpful in providing information for two IDS signatures that we will put out on Monday.
- A vulnerability found by Dan Rosenberg of Virtual Security Research was published in an ICS-CERT bulletin. It is with the Ecava IntegraXor HMI, versions prior to Version 3.60 (Build 4032). There is a security patch available from the vendor.
- Note: ICS-CERT did not link to either researcher or company in their bulletins. Seems a bit unfair.
Boeing is being told by the FAA that they must separate the entertainment network from the flight control systems. As reported in GCN, “The FAA is concerned that the flight-safety control system is, in fact, interconnected with two other “domains” on the airplane’s digital network: the “airline information domain” (which provides business and administrative support) and the “passenger entertainment domain” (which offers music, video and other entertainment.) This interconnectedness opens the possibility that a passenger could inadvertently or intentionally gain access to the sensitive systems that actually control the flight of the aircraft.” Sounds smart.