2012 Articles
Security Updates in a 1-Way ICS?
The good security practice for getting security updates to an ICS is well understood. A server on the SCADA or DCS network pulls the security updates from the ICS DMZ. The ICS DMZ pulls them from the corporate network, who pulls them from the Internet. You will see...
India, Cybersecurity, and the 2012 Blackout
On July 30th, 2012, the northern region of India had its worst blackout in history, and then again the next day. By number of customers affected, it dwarfed the 2003 Northeast Blackout by ~570 million people. In response, the Indian government created a four person...
Aramco and ICS Isolation
Saudi Aramco admitted that about 30,000 computers had been infected with malware known as Shamoon. They were quick to point out that "its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems....
Friday News & Notes
The LOGIIC (Linking Oil & Gas Industry to Improve Cybersecurity) won the U.S. DHS Science & Technology Directorate Under Secretary’s Award for Outstanding Collaboration in Science and Technology. According to Automation.com "the award is presented...
ISASecure – Promising Yet Misleading
ISA announced yesterday that the Honeywell Process Solution's Experion DCS controller and Experion Field Integration Module (FIM) have achieved ISASecure Embedded Device Security Assurance certification. This is good news that the ISASecure certification is getting...
More RuggedCom Woes
Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom devices yesterday. This time, Justin took a different track with the device firmware and showed that all products use the same SSL private key, hard-coded in the firmware. This is fairly...
Suits & Spooks vs. Engineers
I agreed to speak at Jeffrey Carr's Suits and Spooks in Boston on October 18th. The theme of this edition is Offensive Tactics Against Critical Infrastructure, and my sector to attack is electric. I'll be showing how an adversary would compromise individual and large...
Nessus for ICS Training
If you are attending the EnergySec Summit, Sep 25 - 27 in Portland, or if you are in the area, learn how to best use Nessus with your SCADA or DCS at our half day training course on the 25th. Space is limited to 20 students so register soon. Most people download...
Friday News & Notes
The big item of the week was Saudi Aramco cutting itself off from the Internet due to a malware incident. According to ICS-CERT, this would be an ICS cyber incident whether it affected their control systems or not because they run a control system. An article is...
Utilizing Demonstrated Engineering Experience
James Arlen, @myrcurial, posted a question on SCADASEC on the phrase "utilizing demonstrated engineering experience". Here is the pull quote/question: "If you are, say - a cookie manufacturer, and you have a cookie manufacturing line built and installed, you need to...
Control Systems and MS Attack Surface Analyzer
I've had a chance to spend some quality time with Microsoft's Attack Surface Analyzer over the past week, which I'm going to refer to as "MS-ASA" to keep my word count down. The tool itself is pretty nifty, it gathers security and other system information from...
Rethinking AMI
Most of the talk about smart grid and smart grid security, especially in the US, revolves around automated metering infrastructure (AMI). And much of the security discussion has to do with the ability of an attacker to turn power on and off to affect customers and...
Friday News & Notes
Last week cyber security legislation failed in the US Senate. This week the Obama Administration is putting the word out that they may implement the parts he believes are critical through Executive Order. Our view is that DHS has all the authority they need to make a...
Thoughts on NERC CIP V5 Unit Splits
I've been looking over the NERC CIP v5 lately, because of a few discussions I've had over the past week. Mainly, it's been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a "Unit Split". A Unit...
ICS Info Sharing Is Like Clearing Email
The article last week on Information Sharing - What Do You Want? generated some interesting discussion on and off the site. Info sharing proponents named some of the information they wanted. I'm tempted to use the overused analogy of "rearranging the deck chairs on...
Friday News & Notes
The Cybersecurity Act of 2012, S 3414, died in the Senate this week, although they could try again after the recess. No great loss. It wasn't going to pass the House, and it wouldn't have made a difference in ICS security. Jeffrey Carr over on the Digital Dao blog...
Information Sharing – What Do You Want?
Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode. A second...
Government Help! ?
As the US Senate Bill 3414 gains momentum (although I'm still unsure why this is a big story until we hear of corresponding House action), it's worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small amount of the...
Friday News & Notes
We will have an article next week summarizing the Black Hat, BSides and Defcon ICS related papers. So far the most interesting items are Ruben Santamarta's backdoor in the Schneider ION smart meter and two tools that test and hack optical ports on smart meters....
Pwnie Plug Evolution
There is a new version of the PwniePlug, which was previously reported on by Dale. This model comes in surge-strip form factor. This project is interesting for a few reasons. First, the PwniePlug/SheevaPlug/etc devices have always turned me off a little as...
Improper Builds
Last week I hinted at a vendor which included internal source code repository information in their firmware. I contacted the vendor and am told that the secret password has been changed, so it's time to talk about it. When I went hunting for NTP appliances to...
3 More ICS Vulnerability Handling Success Stories
A lot's happening this week in ICS vulnerability handling and a lot of it is positive. 1. ICS-CERT Takes Control I have been critical in the past of ICS-CERT's letting vendors determine when a vulnerability is disclosed. They have changed their policy. UPDATE! ...
The Importance of Vibration Monitoring Systems
After my previous blog post on the NERC-CIP Plant Tour, colleagues asked questions about the systems mentioned. One of the questions that took some time to answer, and required a lot of explanation, was regarding vibration monitoring systems, specifically the Bently...
Major ICS Vulnerability Dropped Friday
<< Note - I edited one paragraph after further thought and uncertainty of the exact time this was released. My change log says Friday, the date says Thursday. Apologies if the Friday comments are in error, but this is a big impact vuln that is being treated like...
Friday News & Notes
The S4 call for papers announcement and submission page will come out on Monday -- sorry for the delay. You will have two months to submit, but early submittal improves your chances. Speaking of conferences, next week in Las Vegas is BlackHat, BSides and Defcon. Only...
Yet Another Series of Backdoors
A few months ago I was lucky enough to do a lab assessment demoing a secure control system network. One component of the lab network got my attention a bit: an embedded Network Time server that gets its time from GPS. Its sole function in life is to get time via...
Tridium Fails and ICS-CERT Flails
The Billy Rios / Terry McCorkle article about the vulnerability handling of Tridium and ICS-CERT is a must read. I started to pull quotes from it and found I wanted to include almost everything. It's clear that Tridium was unresponsive not only to Rios/McCorkle report...
Friday News & Notes
Bob O'Harrow of the Washington Post continued his cybersecurity series, this time focusing on vulnerabilities in Honeywell's Tridium that is used in a large number of building management systems, including many directly connected to the Internet. Billy Rios and...
Industrial Espionage, a’la AutoCAD
In a story that broke around June 22nd, and that most of us in the ICS world missed, was the discovery of a virus targeting engineering drawings. It's name is ACAD/Medre.A, and it is specifically designed to snarf up AutoCAD files, and email them to (supposedly)...
Analysis of EMET Effectiveness
If you are interested in the effectiveness of Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) read Gal Badashi at the Security Bits blog post Tweaking Metasploit Modules to Bypass EMET - Part 1. He takes a released Metasploit exploit and payload and...
Friday News & Notes
Sorry for the absence last week, but I was at a SCADA Security Summit up the Wilder Kaiser in the Alps. The best kind of summit with only 1/3 of the talk on ICS security, beautiful scenery and Tyrolean food / German beer in the huts. The WikiLeaks story on...
Wurldtech Certifies Schneider To Certify Schneider
Wurldtech recently certified Schneider Electric as a Communication Certifier. It took me a bit to wade through what this really means. Schneider is now authorized to run the Wurldtech Achilles device against Schneider's own systems, and give their own...
Schneider Modicon FTP Backdoor Counter
The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a...
Japanese NHK 30 Minutes on PLC Vulns
Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a...
Updated: PNNL Misleading McAfee Marketing As DoE Assessment
I wrote recently about Pacific Northwest National Labs (PNNL) "assessment" of McAfee's security products applicability for Energy Sector ICS. I called it a love letter and questioned how a National Lab or any other firm that does an assessment could write such gushing...
Are We Spending Enough or Too Much On Security?
The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don't spend enough, and Bruce argued...
Economics of Smart Grid Privacy – WEIS
An injurer (company) first balances expected cost of harm with the cost of prevention. This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a...
Do Contagion and Prey/Predator Models Explain Increase in ICS Vulns?
My hope in attending WEIS is to learn of new methods for applying security economics to the ICS world. One area of interest is a model to explain the increase in ICS reported vulnerabilities and predict and profile future vulnerabilities. Two models were raised in a...
Internet-Connected Control Systems Update
Patrick Coyle posted over the weekend that ICS-CERT has updated their "Internet-connected control system" bulletin, first posted in January 2012. The update points out additional control systems vendors and rightly shows the concern that default passwords are present...
Tough Questions in ICS Security Economics
I'm in Berlin preparing to attend the Workshop on the Economics of Information Security (WEIS). ICS owner/operators act in their own best self interest. This is rational behavior for any person or organization. Owner/operators that don't spend money on ICS security do...
Friday News & Notes
Patrick Coyle correctly takes WAGO to task for providing the remediation advice of disabling EtherNet/IP and the web interface if not used. They didn't fix the vulnerability, and it took them five months to put out this advice? Actually, ICS-CERT put out that advice....
Why Antivirus is Not Enough
Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner's hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach. Recently we...
PNNL Assessment of McAfee Security in ICS
Pacific Northwest National Lab (PNNL) released a report "Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control and Integrity Control". The date says March...
The Electric Power Plant Tour
Digital Bond has been doing a lot of generation work lately, and I've found myself in plant clothes (safety shoes, hard hat, jeans, cotton shirt) more and more often. There has been a lot of interest in the cyber security of generation plants, and not all of it is due...
Friday News & Notes
Kaspersky's analysis found that Flame and Stuxnet had code in common according to an article in TPM. "The code in common was used to install and propagate the malware onto computers from an infected USB stick by causing the victim’s computer to “autorun” the malware...
Korenix and ORing Use Crypto™
A client was recently interested in a particular brand of serial port to Ethernet converter. I've done my own with socat, and worked professionally on pen-testing an (IMO) excellent secure serial to Ethernet front-end that adds a lot of security and management...
Confront and Conceal – Stuxnet Technical Review, Comments & Questions
I read the Stuxnet portion of David Sanger's Confront & Conceal. Stuxnet is actually only a small part of the book, but it is the first sensational story in the Prologue to capture the reader's attention and most of Chapter 8. I had called the earlier NY Times...
Analysis of Spear Phishing Malware File
The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security . Dale was kind enough to share a copy of the spear phishing...
Friday News & Notes
First, comments are back up and running on the website. We still are sorting out a few other issues and apologize for the inconvenience. The Hill reports that "President Obama and senior administration officials participated in a simulated cyberattack exercise on...
Siemens – The Good, The Bad & The Bravado
A friend sent me a 24-page Network Security brochure from Siemens dated May 2012 with more detail on Siemens S7 security offerings and overall security strategy (we will add the link when it is up on the Siemens site). We would still like to get more technical detail,...
Spear Phishing Attempt
UPDATE: Added picture of email text Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee. The attack linked to a probably-malicious .zip file based upon an old research...
NY Times Historical Fiction on Stuxnet
The NY Times published an enhanced excerpt from David Sangers' new book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. The long article focuses on the US and Israeli efforts to use Stuxnet to delay the Iranian nuclear program,...
Article Archive By Year
Article Archive By Category
UPCOMING EVENTS
S4x24 ... 4 - 7 March 2024 in Miami South Beach
Save the date. For the biggest and most future focused on ICS Security Event.