2012 Articles

Friday News & Notes

We covered the big stories of the week, Siemens announcement, Flame and the NY Times article in earlier entries. Here is what else happened. Emerson DeltaV vulnerabilities made an ICS-CERT Alert this week. This is noteworthy because DeltaV is not some free demo...

read more

Stuxnet Clock Stops At 625 Days

We have been running a Stuxnet clock in the right sidebar with the tag line: Siemens has not fixed Stuxnet S7 vulns for ... Yesterday Siemens officially announced a firewall and VPN solution that should prevent the Stuxnet attack on the S7 PLC. So we have stopped the...

read more

Anti-Virus and Flame

I've been disinterested in the Flame story and then the anti-Flame backlash. There isn't any data yet that makes it more pertinent to the ICS world than any other non-ICS incident. Not that it isn't a fascinating piece of malware worthy of investigation based on its...

read more

Bandolier Baseline Update for Server 2008 R2

As part of developing Bandolier Security Audit Files for various control system components, see the full list here, we need to start with security audit files for the recommended OS security settings. These recommended settings are then modified as necessary for the...

read more

Friday News & Notes

I've been surprised by the relative silence on the NERC CIP Version 5 ballot results. Perhaps everyone knew most would fail by a sizable margin (e.g. CIP-002 37%, CIP-004 39%, CIP-006 39%, CIP-007 46%).  Only CIP-008 passed, but CIP-003 and CIP-009 came close with...

read more

Intel, VxWorks, McAfee, NitroSecurity Strategy

When Intel followed the acquisition of Wind River, the maker of the popular PLC OS VxWorks, with the acquisition of McAfee, our curiosity was peaked. More recently they acquired SIEM vendor NitroSecurity who had a significant and sustained effort on ICS security. So...

read more

CIP V3 vs V5 – Blackstart is Low?

My last post is regarding NERC CIP V5 is the automatic 'Low' classification of Blackstart generation resources that do not meet bright line criteria. The committee cites compliance costs and a potential withdrawal of blackstart resources as the primary drivers for...

read more

Friday News & Notes

Richard Bejtlich blogged "SEC Guidance Is A Really Big Deal" regarding the SEC telling companies they need to disclose cyber incidents and risks. If you read financial statements you are already beginning to see cyber security disclosures along side other material...

read more

EMET v3 Introduces Group Policy, More

EMET v3 was released two days ago and it introduces a most-coveted feature: support for management via Group Policy. EMET is Microsoft's answer to legacy software problems.  It introduces address space layout randomization and other wizardry to legacy...

read more

The Hidden Dangers of DNS

DNS is probably the second most misunderstood protocol (the first being the control protocol du network), and that needs to change.  I can't claim to be anything close to a DNS expert, but am known to do neat tricks with it now and then. A few years back I was...

read more

Another DHS Bungle or Risky Stratagem?

DHS Control System Security Program (CSSP) actions in the natural gas pipeline alert get even stranger. They have either bungled helping natural gas pipeline companies to protect themselves or have some risky stratagem to take down an attacker and are willing to...

read more

A Request for a Competitive Process

Guest author Sean McBride is the Director of Analysis and Co-founder of Critical Intelligence, a company that provides Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders. One...

read more

ICS-CERT ≠ DHS CSSP; INL = DHS CSSP

Let's take a closer look at DHS since this is the week of DHS's ICSJWG Spring Conference. Like many, I'm guilty of treating ICS-CERT as if they are THE DHS sponsored organization responsible for ICS security in the US Government. ICS-CERT is part of the DHS Control...

read more

SCADACON (ICS Readiness Condition)

There have been more than a few hysterical articles, also full of hysteria, in the press based on attack information provided by DHS. Wow, a number of large companies have been subject to a spear-phishing attack! ICS specific threat or attack information = 0. This...

read more

Friday News & Notes

ISA99 had a busy, well attended 3-day set of Working Group Meetings this week in Gaithersburg, MD. A lot of work gets done in these sessions, and it's a testament to ISA99 they continue to get this level of participation and effort through many years of work. We hope...

read more

The Curious Incident of the Original Switch Manufacturer

Dan Goodin at Ars Technica pointed out something very curious to me yesterday.  RuggedCom recently took down their 'Customers' page, which includes a list of companies for which RuggedCom is the OEM.  Fortunately various search engines keep caches of these...

read more

RuggedCom Owes its Customers an Explanation

RuggedCom was first contacted by Justin Clarke in April 2011 concerning backdoor access to their switches and serial converters.  Late on Friday, they announced that they would remove the account from their devices, and that the change would only take a few...

read more

Friday News & Notes

The big story of the week was Justin W. Clarke's disclosure of an undocumented, remotely accessible backdoor to selected Ruggedcom equipment. But there were other stories. We could link to a wide variety of articles on the US cybersecurity legislative efforts, but...

read more

(Un)Protected Cyber Assets – CIP V3 vs V5

I'm continuing my review of the NERC CIP V5 standard updates, and discussing what good/bad things I find on DigitalBond.com. This week's focus are Protected Cyber Assets. According to the glossary, a Protected Cyber Asset is: A Cyber Asset connected using a routable...

read more

Committee Hearing Actual Witnesses

Last week I wrote about a dream panel of witnesses for the US House of Representatives Committee on Homeland Security hearing titled: America is Under Cyber Attack: Why Urgent Action is Needed. Here is the actual and predictable list: Mr. Shawn HenryFormer Executive...

read more

Ruggedcom Backdoor Revealed – Fragile

Maybe Not UPDATE - The vulnerability was found by Justin W. Clarke, an independent security researcher in San Francisco, California. We don't cover most of the ICS vulnerabilities on this site, but the Ruggedcom Undocumented Backdoor Access is a huge risk...

read more

Cool Tools: USB Rubber Duck

A few months back, security researcher Justin Engler (@JustinEngler) introduced me to a neat toy: the USB Rubber Duck. The Duck is a USB thumb-drive lookalike with a secret -- the hardware is really a microcontroller with a microSD Card interface.  The device can...

read more

Friday News & Notes

Lots of action and disagreement on cybersecurity legislation in the US Government. One of the main ICS security partisan divides is around regulation of the privately owned critical infrastructure. This week the White House chimed in: "National Security Council...

read more

5 Dream Witnesses for a Committee Hearing

Next Tuesday the US House of Representatives Committee on Homeland Security will have a hearing titled: America is Under Cyber Attack: Why Urgent Action is Needed. The panel who will provide testimony and answer questions has not been announced. If it follows typical...

read more

The NERC Vulnerability Assessment, V3 vs V5

I've been doing a lot of work that involves the CIP vulnerability assessment process recently, namely while developing the Bandolier R8 Audit Files, and another more comprehensive file set that haven't been released yet.  This week, I had the opportunity to sit in on...

read more

Friday News & Notes

The latest Version 5 of the NERC CIP standards is now open for comment through May 21st. Version 5 adds CIP-010: Configuration Management and Vulnerability Assessments and CIP-011: Information Protection to the existing CIP-002 to CIP-009. The NERC presentation on...

read more

Koyo Responds

Koyo/Automation Direct has responded to Basecamp and has made many of the right moves.  Yesterday's ICSA-12-102-02 pretty much says it all: Koyo has disabled the device's webserver by default, and they've added a lockout feature to password guessing.  Hosteng.com has...

read more

The Future of Project Basecamp

First a reminder of the goal: The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end. SCADA and DCS owner/operators will demand a secure and robust PLC, and this...

read more

AppSecDC In Review

While there were some great talks at AppSecDC, the attendance at their Critical Infrastructure track was not very high.  Critical Infrastructure is a new topic area for the AppSec conference this year and it's unclear if it will survive.  OWASP has a lot of...

read more

Why WAGO in Project Basecamp? Answer: 3S CoDeSys

On Friday I wrote on why the Stuxnet-type exploit module for the Modicon Quantum was important to show just how easy it is to upload rogue ladder logic. The other big news from Reid's presentation, you can see the slides below, was the introduction of the WAGO IPC...

read more

Stuxnet-Type Attacks Are Easy

Reid presented the latest from Project Basecamp yesterday, what he called Camp 4, at AppSec DC. He has done great work in a short amount of time, between the paying projects and I suspect often on nights and weekends. I didn't want to step on his blog article...

read more

Friday News & Notes

DHS released version 4.1 of their Cyber Security Evaluation Tool (CSET). This version adds Visio support for network diagrams. CSET is a good do-it-yourself option for those who can't afford pricey consultants like Digital Bond. I hope to give it a test drive and...

read more

Project Basecamp: News from Camp 4

Today Digital Bond released two new Metasploit modules affecting Schneider Modicon Quantum PLCs.  I believe that these only affect PLCs with a "Unity" ethernet card, although I would guess that the exploit could be adapted to other controller types with minimal...

read more

Regulation Lessons From NERC CIP

Bryan Owen and Ralph Langner had great comments on our recent NERC CIP, Non-US Utilities and Security article. Here is an extended version of my response and comment. ---------- NERC CIP has certainly provided some useful data points and leads to what I believe are...

read more

Economics of Information Security

I've been wanting to go to the Workshop on the Economics of Information Security (WEIS) for a decade now. This year it is in Berlin so I'm registered, committed with plane tickets in hand for WEIS 2012, June 25-26. Economics of Information Security is still a green...

read more

NERC CIP, Non-US Utilities and Security

Sometimes it helps to escape the bubble to get new information and fresh thoughts. Below are three recent information points and four observations on regulation and real security after a long trip outside the US. Some of the observations are not new, but they are big...

read more

ISA Security Assurance Level Concept and Reality

The ISA 99 Security Committee has been hard at work on writing Security Assurance Levels (SAL) into the ISA / IEC standard. It's been slow going and difficult work, and may prove to be impossible for this committee. The idea of a SAL came from many in the committee...

read more

More on Japan and ICS Security

More information from Japan. As mentioned earlier this week, the Japanese Ministry of Economics, Trade and Industry (METI) has stepped up efforts on ICS security. The trigger was a malware infection spread by email of Mitsubishi Heavy Industries reported in 2011....

read more

ICS Security and Japan

Over in Tokyo this week visiting customers and old friends, and it's good to see the level of interest and concern in ICS security is growing. Like the US and rest of the world there still is a long way to go. A high percentage of the Japanese critical infrastructure...

read more

60 Minutes on Stuxnet

Loyal blog readers should watch last nights 60 Minutes segment on Stuxnet, some of the web extras, and an interesting Overtime segment with Dillon Beresford. You won’t learn much that is new to you, but you will be able to answer questions and comment when your family...

read more

No More Hero Time

SCADA and DCS foster an engineer hero culture. The plant, pipeline or process is not operating properly. The one or two individuals, almost always guys who have 15+ years experience in the plant, are able to troubleshoot the problem, make a change on the fly, and get...

read more

SCADASEC 101 and Defense in Depth

Four quick and different points to make in this blog: 1. Eric Byres has started a blog series on the very important defense in depth security concept 2. Defense in depth does not obviate the need for proper risk management and addressing major risks Project Basecamp...

read more

Get Your ICS Off The Internet!

A number of loyal readers have been sending in examples of vulnerable, Internet accessible control systems. The example below from Patrick Stave of Norway is representative of what we are receiving. In this case, I 100% agree with ICS-CERT that if you have your SCADA...

read more

US Congress Trying to Deal With ICS Community Failures

The fact that Congress has to deal with DCS and SCADA security for the critical infrastructure is another representation of failure by all in the ICS community, but in the US Government realm primarily by DHS as the responsible government agency. Congress can't be an...

read more

What Should You Do … Part 4 – Gov & Stds Orgs

Project Basecamp highlights the fragility and insecurity in most PLC's and provides tools so anyone can demonstrate and prove it. There should be no doubt that after ten years the ICS community needs to deal with this, but how? Part 1 covered what Asset Owners should...

read more

What Should You Do … Part 3 – PLC Vendors

Project Basecamp highlights the fragility and insecurity in most PLC's and provides tools so anyone can demonstrate and prove it. There should be no doubt that after ten years the ICS community needs to deal with this, but how? Part 1 covered what Asset Owners should...

read more

ODVA Responds To Project Basecamp

ODVA, the organization in charge of the EtherNet/IP protocol responds to the Project Basecamp Metasploit module and payloads that take advantage of the protocol's lack of authentication to reboot or completed stop the device. It basically says yes this is true because...

read more

What Should You Do … Part 2

Hopefully loyal readers now accept that we need to address the decade old problem of insecure and fragile PLC's/RTU's/field devices, and the Basecamp information and tools provide some additional compelling evidence and demonstrations to prove the point to senior...

read more

What Should You Do With Basecamp Knowledge & Tools?

More Project Basecamp modules and tools have been released today. The Basecamp reaction has been predictable and disappointing at the same time. The initial furor is over the disclosure, and there continues to be very little anger over the fragility and insecurity...

read more

Valentine’s Day SCADA Tools Release

Written By Reid Wightman Vendors are redSCADA is blueNow everybodycan demonstrate vulnerabilities in controllers As promised, we have more PLC exploits ready to roll in time for Valentine's Day. First, I can't stress enough how much the other Basecamp researchers have...

read more

The Sherpa: Basecamp Redux

Written By Reid Wightman I've experienced a lot of cognitive dissonance concerning the Basecamp disclosure and exploit tools release over the last few months.  I might as well explain some more thinking of why doing what we've done is a good idea in the end. I'll...

read more

UPCOMING EVENTS

S4x24 ... 4 - 7 March 2024 in Miami South Beach

Save the date. For the biggest and most future focused on ICS Security Event.

 

 

2012 Articles

by | Jul 12, 2019