Friday News and Notes
- The “news” that an attacker with network access could upload firmware to many controllers came out this week. This FOUO report has been floating around, and it seemed hard to believe it was FOUO. It is common knowledge in the control system space, not to diminish the fact it is another serious widespread control system security flaw. In fact, firmware uploads have been on the Quickdraw event list almost from the start because it sure would be nice to know when this has happened. If you want to read some of the leaked document and additional info check out the liquidmatrix blog entry.
- DHS’s Control System Security Program issued a Recommended Practice for Creating Cyber Forensics Plans for Control Systems.
- Joe Weiss wrote a white paper including recommendations for the Blue Ribbon Commission on Cyber Security. This Commission will be providing a set of recommendations for the next US President. The paper is available after registering on the Control site.
Author: Dale Peterson
Posted: August 29th, 2008 under Uncategorized.
Comments: 2
Comments
Comment from Erik Hjelmvik
Time: September 2, 2008, 3:03 am
Thanks for the link to the DHS Forensics document!
I’ve browsed though it and realised that they surprisingly haven’t written anything about using network traffic captures as forensic data. This is rather odd, since devices such as PLC’s and other embedded systems provide very sparse possibilities for on-host forensic analysis. Performing network forensic analysis on control system networks would therefore be ideal to deal with this dilemma. And anyone claiming that network forensics cannot be performed on control system networks, since the protocols are proprietary and obscure, is a fool.
All that is needed is a Network Security Monitoring (NSM) infrastructure with a cyclic buffer that holds all network data from the last 7 days or so. You can also combine this with having the NSM dump captured data to a long-time storage upon receiving alerts from the IDS.
A good link on the topic is Richard Bejtlich’s blog post on “Collection, Analysis, Escalation and Resolution (CAER):
http://taosecurity.blogspot.com/2008/07/security-operations-do-you-caer.html
Comment from amino world
Time: September 2, 2008, 4:54 pm
dale, i agree that a botched firmware update has been a risk since the feature was introduced, but the “news” part is likely the discovery that the update can be done from afar (ie not from a laptop in front of the PLC connected by a serial cable) and with the only prerequisite being an IP address and a bad file to upload. it’s also probably news to some that there’s no authentication required in the process. i’m sure that DHS is also alarmed by the (apparently irresistible) urge to network safety systems for remote support and monitoring.
take all of this with the recent uptick in interest in SCADA, PLCs, etc, by the black hat folks — and their prowess in crafting and supporting (!!) easy-to-use exploit packages — and i think you can see where most of DHS’ worry about this info comes from.
i might also add a comment about where DHS is on the ‘clue curve’ in this space, but i won’t.
Write a comment