2012 Articles

Security Updates in a 1-Way ICS?

The good security practice for getting security updates to an ICS is well understood. A server on the SCADA or DCS network pulls the security updates from the ICS DMZ. The ICS DMZ pulls them from the corporate network, who pulls them from the Internet. You will see...

read more

India, Cybersecurity, and the 2012 Blackout

On July 30th, 2012, the northern region of India had its worst blackout in history, and then again the next day. By number of customers affected, it dwarfed the 2003 Northeast Blackout by ~570 million people. In response, the Indian government created a four person...

read more

Aramco and ICS Isolation

Saudi Aramco admitted that about 30,000 computers had been infected with malware known as Shamoon. They were quick to point out that "its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems....

read more

Friday News & Notes

The LOGIIC (Linking Oil & Gas Industry to Improve Cybersecurity) won the U.S. DHS Science & Technology  Directorate Under Secretary’s Award for Outstanding Collaboration in Science and Technology. According to Automation.com "the award is presented...

read more

ISASecure – Promising Yet Misleading

ISA announced yesterday that the Honeywell Process Solution's Experion DCS controller and Experion Field Integration Module (FIM) have achieved ISASecure Embedded Device Security Assurance certification. This is good news that the ISASecure certification is getting...

read more

More RuggedCom Woes

Justin Clarke and ICS-CERT unveiled another vulnerability in RuggedCom devices yesterday.  This time, Justin took a different track with the device firmware and showed that all products use the same SSL private key, hard-coded in the firmware. This is fairly...

read more

Suits & Spooks vs. Engineers

I agreed to speak at Jeffrey Carr's Suits and Spooks in Boston on October 18th. The theme of this edition is Offensive Tactics Against Critical Infrastructure, and my sector to attack is electric. I'll be showing how an adversary would compromise individual and large...

read more

Nessus for ICS Training

If you are attending the EnergySec Summit, Sep 25 - 27 in Portland, or if you are in the area, learn how to best use Nessus with your SCADA or DCS at our half day training course on the 25th. Space is limited to 20 students so register soon. Most people download...

read more

Friday News & Notes

The big item of the week was Saudi Aramco cutting itself off from the Internet due to a malware incident. According to ICS-CERT, this would be an ICS cyber incident whether it affected their control systems or not because they run a control system. An article is...

read more

Utilizing Demonstrated Engineering Experience

James Arlen, @myrcurial, posted a question on SCADASEC on the phrase "utilizing demonstrated engineering experience". Here is the pull quote/question: "If you are, say - a cookie manufacturer, and you have a cookie manufacturing line built and installed, you need to...

read more

Control Systems and MS Attack Surface Analyzer

I've had a chance to spend some quality time with Microsoft's Attack Surface Analyzer over the past week, which I'm going to refer to as "MS-ASA" to keep my word count down. The tool itself is pretty nifty, it gathers security and other system information from...

read more

Rethinking AMI

Most of the talk about smart grid and smart grid security, especially in the US, revolves around automated metering infrastructure (AMI). And much of the security discussion has to do with the ability of an attacker to turn power on and off to affect customers and...

read more

Friday News & Notes

Last week cyber security legislation failed in the US Senate. This week the Obama Administration is putting the word out that they may implement the parts he believes are critical through Executive Order. Our view is that DHS has all the authority they need to make a...

read more

Thoughts on NERC CIP V5 Unit Splits

I've been looking over the NERC CIP v5 lately, because of a few discussions I've had over the past week. Mainly, it's been the compliance requirements for the 1500 MW Critical Generation cutoff point and the design concept for what is called a "Unit Split". A Unit...

read more

ICS Info Sharing Is Like Clearing Email

The article last week on Information Sharing - What Do You Want? generated some interesting discussion on and off the site. Info sharing proponents named some of the information they wanted. I'm tempted to use the overused analogy of "rearranging the deck chairs on...

read more

Friday News & Notes

The Cybersecurity Act of 2012, S 3414, died in the Senate this week, although they could try again after the recess. No great loss. It wasn't going to pass the House, and it wouldn't have made a difference in ICS security. Jeffrey Carr over on the Digital Dao blog...

read more

Information Sharing – What Do You Want?

Call me an information sharing skeptic. The first truth of information sharing is organizations and individuals only share information if it is in their self interest. This dooms most information sharing efforts because members are in receive only mode. A second...

read more

Government Help! ?

As the US Senate Bill 3414 gains momentum (although I'm still unsure why this is a big story until we hear of corresponding House action), it's worthwhile looking at the sales effort around the proposed law. What we are seeing in public is likely a small amount of the...

read more

Friday News & Notes

We will have an article next week summarizing the Black Hat, BSides and Defcon ICS related papers. So far the most interesting items are Ruben Santamarta's backdoor in the Schneider ION smart meter and two tools that test and hack optical ports on smart meters....

read more

Pwnie Plug Evolution

There is a new version of the PwniePlug, which was previously reported on by Dale.  This model comes in surge-strip form factor. This project is interesting for a few reasons.  First, the PwniePlug/SheevaPlug/etc devices have always turned me off a little as...

read more

Improper Builds

Last week I hinted at a vendor which included internal source code repository information in their firmware.  I contacted the vendor and am told that the secret password has been changed, so it's time to talk about it. When I went hunting for NTP appliances to...

read more

3 More ICS Vulnerability Handling Success Stories

A lot's happening this week in ICS vulnerability handling and a lot of it is positive. 1. ICS-CERT Takes Control I have been critical in the past of ICS-CERT's letting vendors determine when a vulnerability is disclosed. They have changed their policy. UPDATE! ...

read more

The Importance of Vibration Monitoring Systems

After my previous blog post on the NERC-CIP Plant Tour, colleagues asked questions about  the systems mentioned. One of the questions that took some time to answer, and required a lot of explanation, was regarding vibration monitoring systems, specifically the Bently...

read more

Major ICS Vulnerability Dropped Friday

<< Note - I edited one paragraph after further thought and uncertainty of the exact time this was released. My change log says Friday, the date says Thursday. Apologies if the Friday comments are in error, but this is a big impact vuln that is being treated like...

read more

Friday News & Notes

The S4 call for papers announcement and submission page will come out on Monday -- sorry for the delay. You will have two months to submit, but early submittal improves your chances. Speaking of conferences, next week in Las Vegas is BlackHat, BSides and Defcon. Only...

read more

Yet Another Series of Backdoors

A few months ago I was lucky enough to do a lab assessment demoing a secure control system network.  One component of the lab network got my attention a bit: an embedded Network Time server that gets its time from GPS. Its sole function in life is to get time via...

read more

Tridium Fails and ICS-CERT Flails

The Billy Rios / Terry McCorkle article about the vulnerability handling of Tridium and ICS-CERT is a must read. I started to pull quotes from it and found I wanted to include almost everything. It's clear that Tridium was unresponsive not only to Rios/McCorkle report...

read more

Friday News & Notes

Bob O'Harrow of the Washington Post continued his cybersecurity series, this time focusing on vulnerabilities in Honeywell's Tridium that is used in a large number of building management systems, including many directly connected to the Internet. Billy Rios and...

read more

Industrial Espionage, a’la AutoCAD

In a story that broke around June 22nd, and that most of us in the ICS world missed, was the discovery of a virus targeting engineering drawings. It's name is ACAD/Medre.A, and it is specifically designed to snarf up AutoCAD files, and email them to (supposedly)...

read more

Analysis of EMET Effectiveness

If you are interested in the effectiveness of Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) read Gal Badashi at the Security Bits blog post Tweaking Metasploit Modules to Bypass EMET - Part 1. He takes a released Metasploit exploit and payload and...

read more

Friday News & Notes

Sorry for the absence last week, but I was at a SCADA Security Summit up the Wilder Kaiser in the Alps. The best kind of summit with only 1/3 of the talk on ICS security, beautiful scenery and Tyrolean food / German beer in the huts. The WikiLeaks story on...

read more

Wurldtech Certifies Schneider To Certify Schneider

Wurldtech recently certified Schneider Electric as a Communication Certifier.  It took me a bit to wade through what this really means.  Schneider is now authorized to run the Wurldtech Achilles device against Schneider's own systems, and give their own...

read more

Schneider Modicon FTP Backdoor Counter

The recent approval by Wurldtech for Schneider to self certify their products as meeting Achilles certification requirements was enough of a push to put up a replacement to the Siemens / Stuxnet counter as Reid has been suggesting for months. The counter debuts at a...

read more

Japanese NHK 30 Minutes on PLC Vulns

Close Up Gendai is a long running, serious and popular program on Japanese national television station NHK. The audience tends to skew older, but everyone in Japan knows Close Up Gendai. So we were pleased to cooperate with the NHK crew when they wanted to do a...

read more

Updated: PNNL Misleading McAfee Marketing As DoE Assessment

I wrote recently about Pacific Northwest National Labs (PNNL) "assessment" of McAfee's security products applicability for Energy Sector ICS. I called it a love letter and questioned how a National Lab or any other firm that does an assessment could write such gushing...

read more

Are We Spending Enough or Too Much On Security?

The closing session of the Workshop on the Economics of Information Security (WEIS) was a very interesting debate between Dr. Ross Anderson and Bruce Schneier on the topic of spending on information security. Ross argued that we don't spend enough, and Bruce argued...

read more

Economics of Smart Grid Privacy – WEIS

An injurer (company) first balances expected cost of harm with the cost of prevention. This morning at the Workshop on the Economics of Information Security (WEIS) was devoted to privacy. This is an area that was not historically important in ICS, but privacy is a...

read more

Internet-Connected Control Systems Update

Patrick Coyle posted over the weekend that ICS-CERT has updated their "Internet-connected control system" bulletin, first posted in January 2012. The update points out additional control systems vendors and rightly shows the concern that default passwords are present...

read more

Tough Questions in ICS Security Economics

I'm in Berlin preparing to attend the Workshop on the Economics of Information Security (WEIS). ICS owner/operators act in their own best self interest. This is rational behavior for any person or organization. Owner/operators that don't spend money on ICS security do...

read more

Friday News & Notes

Patrick Coyle correctly takes WAGO to task for providing the remediation advice of disabling EtherNet/IP and the web interface if not used. They didn't fix the vulnerability, and it took them five months to put out this advice? Actually, ICS-CERT put out that advice....

read more

Why Antivirus is Not Enough

Few things beat patching, yet on industrial control systems patching is often delayed and delayed and delayed until some event forces the owner's hand. Antivirus is often used as a stop-gap measure to delay patching. This is often not a very good approach. Recently we...

read more

PNNL Assessment of McAfee Security in ICS

Pacific Northwest National Lab (PNNL) released a report "Technology Security Assessment for Capabilities and Applicability in Energy Sector Industrial Control Systems: McAfee Application Control, Change Control and Integrity Control". The date says March...

read more

The Electric Power Plant Tour

Digital Bond has been doing a lot of generation work lately, and I've found myself in plant clothes (safety shoes, hard hat, jeans, cotton shirt) more and more often. There has been a lot of interest in the cyber security of generation plants, and not all of it is due...

read more

Friday News & Notes

Kaspersky's analysis found that Flame and Stuxnet had code in common according to an article in TPM. "The code in common was used to install and propagate the malware onto computers from an infected USB stick by causing the victim’s computer to “autorun” the malware...

read more

Korenix and ORing Use Crypto™

A client was recently interested in a particular brand of serial port to Ethernet converter.  I've done my own with socat, and worked professionally on pen-testing an (IMO) excellent secure serial to Ethernet front-end that adds a lot of security and management...

read more

Analysis of Spear Phishing Malware File

The following is guest post courtesy of Ned Moran of the Shadowserver Foundation. This post is a technical analysis of the malware used in a spear phishing attack targeting those interested in ICS security . Dale was kind enough to share a copy of the spear phishing...

read more

Friday News & Notes

First, comments are back up and running on the website. We still are sorting out a few other issues and apologize for the inconvenience. The Hill reports that "President Obama and senior administration officials participated in a simulated cyberattack exercise on...

read more

Siemens – The Good, The Bad & The Bravado

A friend sent me a 24-page Network Security brochure from Siemens dated May 2012 with more detail on Siemens S7 security offerings and overall security strategy (we will add the link when it is up on the Siemens site). We would still like to get more technical detail,...

read more

Spear Phishing Attempt

UPDATE: Added picture of email text Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee.  The attack linked to a probably-malicious .zip file based upon an old research...

read more

NY Times Historical Fiction on Stuxnet

The NY Times published an enhanced excerpt from David Sangers' new book Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power. The long article focuses on the US and Israeli efforts to use Stuxnet to delay the Iranian nuclear program,...

read more

UPCOMING EVENTS

 

S4x20 ... Jan 21 - 23 in Miami South Beach

Make sure you mark your calendar for the largest and most advanced OT / ICS Security event. And you can catch up on past S4 on the S4xEvents YouTube Channel.

2019 PAST EVENTS

Sept 19-20 in Sochi, Russia

I'll give a keynote at the Kaspersky Industrial Cybersecurity Conference 2019. I spoke at this event in 2017, and Kaspersky is always a tremendous host.

Sept 12 in Phoenix

I spoke at a private company event.

April 11th in Cebu

A private event where I'll discuss the future of attacks on and defense of Level 1 devices (PLC's). A lot changed in 2018, and this is just a hint as to what is coming.

March 5th in San Francisco

I moderated an event by the Basque Cybersecurity Centre to promote leading edge cybersecurity countries in the region. 

February 4th in New Orleans

Best Practices in Utility Security at Distributech. (See the video) I spoke about Real Time Network and Asset Monitoring at this new event. Lot's to say after the S4x19 ICS Detection Challenge experience.

 

 

2012 Articles

by | Jul 12, 2019