DHS released version 4.1 of their Cyber Security Evaluation Tool (CSET). This version adds Visio support for network diagrams. CSET is a good do-it-yourself option for those who can’t afford pricey consultants like Digital Bond. I hope to give it a test drive and write up the results soon.
Ruben Santamarta found some backdoors in the Schneider ION Smart Meters (tough week for Schneider) and Eireann Leverett found 12,659 HVAC systems from a single manufacturer on the Internet. Reid will cover these AppSec stories in more detail next week.
How deep does deep packet inspection (DPI) need to be? Eric Byres is writing a blog series on DPI in support of his Tofino firewall. It’s worth a read if you are new to DPI, see Part 1 and Part 2. Reid’s recent foray into the Schneider Modbus implementation is a good example. Inspecting down to the function code would gain you little because Schneider’s Unity does so much via function code 90. An effective DPI would need to inspect deeper into the subcodes or other protocol parameters. Eric is on the right track with DPI of ICS protocols, but implementation takes more work on complex protocols and Modbus is the easiest by far.
The press, sometimes led on by sources and sometimes purposefully, are conflating cyber attacks on and security of companies that own or operate the critical infrastructure with attacks on and security of the critical infrastructure. Two examples this week. First the GAO issued an audit report of Bonneville Power Administration’s IT Program. The reporting and subsequent tweeting implied that the vulnerabilities were related to the power systems, while the audit report is very clear the security audit was of the business systems on the corporate network.
The second example is a Network World article: DHS America’s Water and Power Utilities Under Daily Cyber Attack. Well yeah — as is every business with an Internet connection. The article has DHS/INL talking about 17 fly-away missions they performed in 2011; 7 were related to spear phishing; 11 were “very sophisticated”. This is almost worthless info. It’s anecdotal, not even close to statistically significant. Anecdotal examples can be helpful, but you have describe the details of the story. DHS should be providing detailed info on the attack particularly any elements that are ICS specific in method or targeting, omitting company name, IP addresses and other company identifying details of course.
This week saw an interesting ICS-CERT bulletin on the ABB Multiple Components Buffer Overflow found by McCorkle and Rios. “Because these are legacy products nearing the end of their life cycle, ABB does not intend to patch these vulnerable components”. I’m not going to bash ABB for this foreverday response; it’s a decision I might make as a project manager with an old product that was not designed to be secure. It might be better to focus security efforts on newer products, and provide an upgrade path for clients. At least ABB told their customers the truth rather than let a vulnerability linger unaddressed with no information on whether a patch would be forthcoming.
The automation advertorial press continues to avoid anything security related that would reflect badly on their potential advertisers. I have to assume they do the same in other technical issues and should be viewed as cheerleaders.
Francis Cianfrocca of Bayshore Networks announced an open source ICS protocol fuzzer at AppSec DC yesterday. He promised more information and download instructions soon.
Ralph Langner’s Stuxnet Deep Dive video has been the most popular S4 video with 24K downloads and 11K start to finish viewings. The last number speaks to the quality of the presentation as it is over an hour start to finish. Remember you can see all the S4 videos, and we will be putting up some of the best videos from past S4 events soon.
There were a couple of articles yesterday on the latest Project Basecamp release including Wired Kim Zetter’s Researchers Release New Exploits to Hijack Critical Infrastructure and Threatpost Paul Roberts’ Project Basecamp Adds Stuxnet-type Attack Module to Metasploit.
Tweet of the Week
I couldn’t choose just one this week.
Worth Reading Articles
- Dark Reading article Damage Mitigation As The New Defense DP Note: ICS community needs to embrace this, but it will give those relying on the security perimeter chills.
- Foreign Policy article Cyberwar Is Already Upon Us Pull quote: “The advantage lies with those who take the offensive.”
Critical Intelligence’s ICS Security Event Calendar Updates
Nothing new added to the calendar this week.
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by ansik