Richard Bejtlich blogged “SEC Guidance Is A Really Big Deal” regarding the SEC telling companies they need to disclose cyber incidents and risks. If you read financial statements you are already beginning to see cyber security disclosures along side other material warnings. Are we going to see public companies with ICS write things such as “our ability to safely produce (power, product, ..) is at risk if an attacker can gain any access to our plant networks because these systems lack basic security features and we have chosen to do nothing about it”?
We are starting to see the results of the Intel/McAfee/WindRiver/NitroSecurity acquisition path. This week Intel/McAfee announced their blueprint for critical infrastructure protection. There is also a Protect Critical Infrastructure page on the McAfee site and a solution guide. I got excited when I read the term McAfee Embedded Control, but it wasn’t what I thought. We will review the solution in more detail in a future article.
Proponents of the “anti-virus is too dangerous to run on ICS” got another data point this week as an Avira anti-virus update caused a number of false positives. The false positives stopped regularly used applications from running and could be compared to causing an outage in an ICS. Rather than abandon or move to manual anti-virus updates, owner/operators should leverage the redundancy in the system and split hot/standby servers and workstations into different groups. Update one group and schedule the next group to update the next day. In the rare case where there is anti-virus update issue your ICS will still be operable. This is a good practice that many owner/operators have used for years now.
Rapid7 released a telnet_ruggedcom module for Metasploit. The module, developed by Borja Merino, “greps out the MAC address from the telnet banner, performs the password conversion magic, and stores it off into Metasploit’s credential database for later use (say, with the telnet_login module).” This module exploits the vulnerability found by Justin W. Clarke.
The Dutch have issued an ICS Security Checklist (ht: @m00st) with 5 administrative security control principles and 10 technical security control principles. Many of the checklist items have sub items, but it’s concise at four pages and accessible.
There is a serious argument on the FERC audit of NERC. It’s not related to security per se. It deals with NERC’s accounting and finances. NERC objected and heavily commented on most of the findings. This article provides a summary or you can read all of NERC’s comments. This doesn’t appear to be a case where the truth is in the middle. Either the auditor was way off or NERC has been playing by their own set of rules. Appreciate comments from anyone who knows the details.
Howard Schmidt, the US Cybersecurity Czar, announced he was leaving the post at the end of the month. His tenure has actually been a few months longer than planned. Wired had a fascinating article/interview with Mr. Schmidt when he started more than two years ago with two great pull quotes.
- “it’s possible that hackers have gotten into administrative computer systems of utility companies, but says those aren’t linked to the equipment controlling the grid, at least not in developed countries. He’s never heard that the grid itself has been hacked.”
- “‘As for getting into the power grid, I can’t see that that’s realistic,’ Schmidt said.”
BTW … Stuxnet PLC vulnerabilities have not been fixed 613 days after Ralph Langner revealed them.
Tweet of the Week
Worth Reading Articles
Fail. My fault.
Critical Intelligence’s ICS Security Event Calendar Updates
- Cyber Security Symposium at UTC Telecom, May 21-24 in Orlando, Florida
- ICS Security Presentations at Connectivity Week, May 24 in Santa Clara, California
- Cyber Security Roundtable at Honeywell User Group, June 13 in Phoenix, Arizona
- ICS Security Presentations at APPA Conference, June 17 in Seattle, Washington
- Joe Weiss at the Amphion Forum, June 27 in Washington DC
- ICS Security Presentations at SCADA Systems 2012, August 14-16 in Sydney, Australia
- ICS Security Presentations at Novatech Automation Summit, Sept 16-20 in Baltimore, Maryland
- ICS Security Presentations at Gridweek, Oct 3 in Washington, DC
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.