The latest Version 5 of the NERC CIP standards is now open for comment through May 21st. Version 5 adds CIP-010: Configuration Management and Vulnerability Assessments and CIP-011: Information Protection to the existing CIP-002 to CIP-009. The NERC presentation on Version 5 used the term “balanced flexibility”. CIP watchers expect this to get ugly. Our Michael Toecker has some Version 5 articles planned so stay tuned.
The 2012 Repository of Industrial Security Incidents (RISI) annual report is out. I have an ongoing love/hate relationship with this report. We have so little data that any data is welcome, and this year RISI performed a survey which likely is the highlight rather than the incident database. That said, the public release of the data is statistically sloppy and doesn’t deal with the minimal data and collection bias. They have collected 220 incidents over 11 years and only 45 of these incidents occurred in the last two years. A substantial amount of the “incidents” are gathered from open source, and it’s unclear if non ICS incidents on critical infrastructure companies, like Night Dragon, are included. Any statistics from this minimal data need huge asterisks explaining numbers and sources. RISI doesn’t help itself with vague statements such as “35% of industrial control system (ICS) security incidents were initiated through remote access” from the press release. Is this 35% of the last 11 years? 35% of 2011 incidents (which could mean 7 incidents)? The report, available for $995, probably explains all this in more detail, but the questionable statistics will be reported with more certainty than warranted as they are every year. A five page summary would be much more helpful and likely drive sales.
ICS-CERT Advisory “ICSA-12-102-05 – Siemens Scalance S Multiple Security Vulnerabilities” is interesting because the Scalance Security Module Firewall is the technology being integrated into the Siemens S7 Communications Processor (CP) Module that was announced last June and planned for release this spring. The new CP module is Siemens response to the Stuxnet and Beresford vulnerabilities. Hopefully Siemens is doing some serious internal and 3rd party testing of the new CP module. BTW, the Stuxnet counter is up to 578 days.
We are two years away from end of life for Windows XP. Vendors should have an OS upgrade path for their products on XP, and owner operators need to start a project to upgrade — if you haven’t already. The days of staying on the same OS for 15 years are long over. Hopefully your budgeting has reflected the need to upgrade hardware and software more often. If you say this is impossible, some of your peers have been doing this for at least more than three years.
The Bandolier Scan Policy for NERC CIP-007 R8 has been updated to address a couple of user reported issues. This is the Nessus scan configuration for the limited CIP vulnerability assessment, and it gathers the required information in the least intrusive manner possible. Michael also created a detailed information page on CIP-007 R8.
Interpol is opening a New Cybercrime Innovation Center in a cool new building in Singapore. One focus will be on open source forensics tools for law enforcement. Singapore was a great location choice.
The Washington Post article “Pentagon to Fast-Track Cyberweapons Acquisition” provides some details on how the US Government and Defense Department are creating an offensive capability. Isn’t it logical that most developed countries and organizations that want an attack capability are developing ICS attack capability on a large scale. It’s so easy that tiny, unfunded Digital Bond can do it.
Tweet of the Week
Worth Reading Articles
- Brian Krebs with another scoop, FBI: Smart Meter Hacks Likely to Spread
- GE Txchnologist, Upgrading Auto Software in a Flash DP Note: Start the countdown clock to BH presentation
- Washington Post article – Pentagon to Fast Track Cyberweapons Acquisition
- Dan Goodin of Ars Technica – Rise of ICS Forever Day Vulnerabilities Threaten Critical Infrastructure DP Note: If only because it uses Reid’s invented Foreverday term
Critical Intelligence’s ICS Security Event Calendar Updates
- SOURCE Boston presentation, PLC/SCADA Vulnerabilities in Correctional Facilities, April 18 in Boston, Massachusetts
- ABB Automation and Power World, Security Presentations, April 23-26 in Houston, Texas
- BSides London presentation, SCADA Security, Why is it so hard?, April 25 in London, UK
- Cyber Security Workshop for Drinking Water and Wastewater Facilities, June 19 in Concord, New Hampshire
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by FredoAlverez