2012 Articles

Response to Cyber Issues and a Little Resilience

Recently, a client came to us with a new piece of equipment they wanted to put in their distribution system. A decent way to describe the new protection equipment is transmission relay technology, scaled down to distribution level and combined into a single...

read more

Friday News & Notes

A poignant reminder this week that Safety products and SIL ratings to not consider malicious attacks or even accidental spurious data. The CoDeSys development system is SIL2 certified, and they produce something called CoDeSys Safety that is SIL3 certified. Feel...

read more

CoDeSys IDS Rules Easily Avoided

Locks had "long life" and names written on them. I had a chance to chat with former Project Basecamp lead Reid Wightman about the Tofino/SCADAHacker IDS rules related to his exploit scripts. It was in conjunction with a soon to be released ioActive webinar on the...

read more

PROFINET Fuzzer Released

Roland Koch and students at the University of Applied Sciences in Augsburg, Germany have released a PROFINET fuzzer called ProFuzz. While not a top 3 protocol in the US, PROFINET is the most widely used ICS protocol in Europe, particularly in the manufacturing sector....

read more

SCADA Security Friday News & Notes

The Shamoon investigation by Saudi Aramco, aided by the government's Ministry of Interior, stated “The aim was to stop pumping oil and gas to domestic and international markets”. An article in Al Arabiya goes on to say "The state-owned group which runs all Saudi...

read more

PLC Vulnerability Distractions

ICS-CERT issued an Advisory on Friday titled Rockwell Allen-Bradley MicroLogix, SLC-500, and PLC-5 Fault Generation Vulnerability. This is just a distraction from the PLC insecure by design issue. The impact of this vulnerability is denial of service. You don't need...

read more

Friday News & Notes

GE announced the long awaited successor to the decrepit and insecure D20 -- the D20MX. This time it appears to be real as some asset owners are expecting demo/trial shipments in a matter of weeks. From the site, "Built-in cyber security features such as Remote...

read more

Friday News & Notes

Slow week in the SCADA security world. Siemens announced some new security controls for the S7-1500 line of PLCs. The most interesting feature --"Access protection addresses the problem of protecting the application against unauthorized configuration changes." We...

read more

The Value of Security, And Some History

Last week, Dale had difficult conversations regarding cyber security with two vendors. Apparently, that was the week for vendor interactions, as I had one too. My interaction was with a control system component vendor, attempting to explain the premise of my upcoming...

read more

Wayback Machine: 2003 PLC Blog Post

I'm putting together an intro for an ioActive webinar on CoDeSys with Reid, which will have some good technical information and discussion on the effectiveness of suggested compensating controls. And I'm trying to find some way to point out the complete failure of the...

read more

Friday News & Notes

Register Now for S4 2013 - Awesome Research This Year NextGov reports the US National Highway Safety Traffic Safety Administration plans to "'conduct rule-making ready research to establish electronic requirements for vehicle control systems' in everyday cars....

read more

Two Siemens Hacking Sessions Added To S4 Agenda

Keep track of the latest S4 updates on our S4 site. We have two great new additions to the S4 2013 agenda. Both happen to involve the Siemens WinCC / S7 product family. Loyal blog readers have probably heard recently of Positive Technologies whitepaper SCADA Safety in...

read more

Two Conversations Last Week

These are typical, illustrative, and sad. Conversation 1: PLC Vendor A PLC vendor reached out to Digital Bond and encouraged us to share any results we found on their systems with them. He said they were very interested in security and understood they needed to do...

read more

Friday News & Notes

EnergySec has formed the Publicly Accessible Control Systems Working Group (PACS-WG) to try to track down and remove Internet accessible devices identified in Project Shine and elsewhere. The kickoff webinar is next Friday. Eric Byres and Tofino have teamed with Joel...

read more

Siemens – Time For Code Review / SDL

A I spoke recently with Kelly Jackson Higgins of Dark Reading about the number of vulnerabilities being found post-Stuxnet. This obviously is due to the increased attention from researchers and hackers. The data also shows some vendors and products have a steady...

read more

Malware Forum Logs from Control Systems, Part Deux

Last September, I did a guest blog post titled "Online-Malware-Support-Shows-Infected-ICS-Computers", where I searched for HiJackThis posts containing automation software. Basically, there are forums available to users that had been infected with viruses. These users...

read more

Focus on Critical Infrastructure ICS?

All ICS are not created equal --- at least not from an impact to the critical infrastructure. There is a tendency to treat every ICS vulnerability or ICS security issue as a dire impact to a nation's critical infrastructure. Those responsible for securing the critical...

read more

Nmap NSE to Detect CoDeSys Insecurity Issues

Reid Wightman and HD Moore wrote up an Nmap NSE script to detect if your PLC running the CoDeSys ladder logic runtime lacks effective authentication to access the application command shell, transfer files, ... the insecure by design issues covered on the Project...

read more

CoDeSys Publicly Responds, Honest but Sad

It is hard for me to write it any better than 3S, from their site: In general, we do not offer any standard tools in CODESYS which are to protect the controller from a serious cyber attack. Should the offered password functionality suggest such a protection, this was...

read more

Friday News & Notes

A light week of news with most of the US attention deservedly focused on dealing with and recovering from Sandy. SANS highlighted a new international Consortium for Cybersecurity Action (CCA). It's largely based around the top ten / top twenty security controls lists...

read more

C3-ILEX Coordinated Disclosure

ICS-CERT issued an advisory today, C3-ILEX EOSCADA Multiple Vulnerabilities, based on a Digital Bond information. I'll tell you a bit more of the interesting story and technical details. We found these vulnerabilities on a client assessment in October 2010. They were...

read more

Japanese Control System Security Center (CSSC)

I had an opportunity to meet with much of the Japanese Control System Security Center (CSSC) team on Tuesday. They are impressively moving out fast on their efforts to build and educate the ICS security community in Japan. The CSSC was established in March of 2012,...

read more

Friday News & Notes

The US Dept of Homeland Security had another reorganization. The Control Systems Security Program is now under the National Cybersecurity and Communications Integration Center (NCIC). This was new to me, Justin Searle of UtiliSec has a two-day course Pentesting Smart...

read more

New Project Basecamp Tools for CoDeSys, 200+ Vendors Affected

Reid Wightman provided one last set of Project Basecamp tools before leaving for ioActive. This latest release are two tools for PLC's running the CoDeSys ladder logic runtime, which is a list of 261 vendors. codesys-shell.py: just like it sounds, you get the CoDeSys...

read more

Oversold? Field Security Devices

I have a problem with field security devices. Well, not really A problem, but multiple problems. 1. Avoiding The Root Cause of Insecurity There is a tendency in the ICS community, and even among those considered ICS security gurus, to promote building higher walls...

read more

ICSJWG in Review

The ICSJWG meeting was this past week in Denver, and the schedule was packed with great presentations, and speakers with a wealth of experience to share with the ICS community.  There was a significant bump in attendance this time around. Attendees were from a...

read more

Friday News & Notes

REMINDER - S4 General Registration Opens on October 24th. See The Agenda Here. Kaspersky's announcement of a new secure SCADA OS was the buzz story of the week. It's an ambitious effort with low likelihood of impact on SCADA and DCS for a variety of reasons. I do like...

read more

Friday News & Notes

Emerson announced that DeltaV DCS deployments will support virtualization in April 2013. They also highlighted the "Smart Firewall", which sounds very similar to the Honeywell CF9 approach. Basically block everything but DeltaV required protocols out of the box. The...

read more

Whack A Mole Secure Software Development

Yesterday Siemens announced new vulnerabilities, and importantly security patches to address the vulnerabilities, for their S7-1200 web application. Some credit is due to Siemens for increased transparency in announcing vulnerabilities and speed in which they...

read more

Friday News & Notes

I recorded the first edition of our new podcast Unsolicited Response this week. Some months will have 1, 2 or 3 podcasts; others will have 0. It will be out on Tuesday and hope you like it as much as the previous This Month In Control System Security. Justin W....

read more

Info Sharing Bubble Burst or Everything Is A Success

I've been a vocal skeptic on information sharing, particularly the US legislative emphasis on information sharing's criticality to make progress in ICS and SCADA security. Yesterday provided a lot of ammunition for my argument. All too often programs are destined to...

read more

EnergySec 2012 Wrapup

Last week was EnergySec's 2012 Symposium.  EnergySec is a group with a lot of great energy.  The conference was attended by a mix of hackers, former phone phreaks, energy sysadmins, auditors, and executives. The theme this year was, "Stop being...

read more

Friday News & Notes

LAST DAY - Submit your presentation proposal for S4 2013, Jan 16-17 in Miami Beach. Robert O'Harrow of the Washington Post continued his series to make cyber security issues understandable to the average WashPost newspaper reader. This time he covered spear-phishing...

read more

Telvent Compromised!

Brian Krebs breaks a big story in the ICS security world -- Telvent has been informing customers they have been compromised by the Comment Group. Over the past two decades Telvent has dominated the oil and gas pipeline SCADA market. In recent years they have moved...

read more

Pick Your Fall ICS Security Conference

Remember S4 Call For Papers/Presentations Closes This Friday September / October is a busy week for ICS security events. Joe Weiss just posted the full agenda for ICS Cyber-Security Conference the week of October 22nd in Norfolk, VA (called WEIScon by many). The week...

read more

Germany, Siemens, Stuxnet

Most of the attention, reporting and speculation on Stuxnet perpetrators has been focused on the US and Israel, but what about Siemens and the German Government's possible role in the Stuxnet story? The Siemens and Iran issue came up last week with the Iranian's...

read more

Friday News & Notes

ICS released Version 3.0 of The Roadmap To Secure Control Systems in The Transportation Sector. It's a good primer to transportation sector ICS, which surprisingly includes pipelines. Each sector is defined along with a glossary of key terms. The four goals are very...

read more

Nessus Audit Updates adds Open Ports

Ask and ye shall receive.  Tenable quietly updated Nessus compliance checks today, adding some fancy new "Open Port" auditing features.  Among other things, new rules mean that your audit files can now check for a list of allowed and denied ports, as well as ensure...

read more

British Smart Meter Economics Analyzed

Ross Anderson (past S4 keynoter) and Alex Henney published a paper on the failed economics of the British smart metering project (UK). They contend that when the economic case didn't work out. the government changed the underlying assumptions until the numbers...

read more

Cloning Devices to meet NERC CIP, An Approach

Owners conducting a NERC Cyber Vulnerability Assessment have a requirement to annually verify ports and services. On Windows and Unix based systems, it is trivial and safe to pull a list of listening ports and the configured services thanks to commands like netstat,...

read more

Friday News & Notes

Industrial Defender announced another industry partnership to provide their security products and services to an ICS vendor -- this time with Telvent. As mentioned in an earlier article, the key factor in determining if this is truly pushing security to customers or...

read more

3 Quick Items From Japan

Attention to DCS and SCADA security continues to grow in Japan. Here are three notes: 1. IPA, a Japanese organization that works with government and industry, has partnered with ISASecure to bring the ISASecure certification program to Japan. Certification is...

read more

No Legislation or Executive Orders Needed

All talk, no action. The various agencies are using only a fraction of the power they have to make a difference in ICS and SCADA cybersecurity. All the potential legislation, executive orders, and political platform stances only effective purpose is to make people...

read more

Prioritized Patching and You

So you've decided to start a quarterly or bi-annual patch program, you may find yourself thinking: "Do I really need to patch *everything*?  What are the highest priority patches that I need to apply for the best risk reduction?" The good news is that a lot of...

read more

Friday News & Notes

The ISA99 Committee created a web page with all the work product in process and links to all of the draft documents. This is fantastic and part of their increased effort to get more people aware of and involved in their activities. Today there are 13 draft documents...

read more

100,000 Vulnerabilities

Guest author Andrew Ginter is the Director of Industrial Security at Waterfall Security Solutions, the makers of hardware-enforced unidirectional security gateways. The popular press cites an "alarming" statistic from time to time - the "dramatic" increase in...

read more

WAGO abandons customers, and 3S dodges bullets (for now)

ICS-CERT made a fistful of updates yesterday.  One of them is over a bag of bugs^Wsecurity concerns first revealed by yours truly. This update is a bit odd for a few reasons.  Here is my summary of how it relates to my disclosure: the passwords disclosed by me...

read more

ICS Cyber Security, and the Ripple Effect

Adding new security systems and making updates to the control system in the name of cyber security tends to have a ripple effect. Operational processes that were once nearly bulletproof  have new or unknown steps, recovery efforts that were previously successful...

read more

Cloudy With A Chance Of Craptacular

Guest author Darren Highfill is the Founder and a Managing Partner of UtiliSec, a consultancy focused on electric power cyber security. Darren has been at the forefront of efforts to secure the smart grid since long before the phrase was coined. Clouds. They...

read more

Friday News & Notes

The US Securities and Exchange Commission (SEC) is starting to crack down on cyber incident and cyber risk disclosures. They recently sent letters to six companies, including Eastman Chemical, asking for more information. This is the type of activity that gets C-level...

read more

UPCOMING EVENTS

S4x24 ... 4 - 7 March 2024 in Miami South Beach

Save the date. For the biggest and most future focused on ICS Security Event.

 

 

2012 Articles

by | Jul 12, 2019