EnergySec has formed the Publicly Accessible Control Systems Working Group (PACS-WG) to try to track down and remove Internet accessible devices identified in Project Shine and elsewhere. The kickoff webinar is next Friday.
Eric Byres and Tofino have teamed with Joel Langill to write a white paper and develop tools related to the CoDeSys insecure by design issues. The tools are Snort IDS signatures and Security Profiles for the Tofino firewall. We will look at the effectiveness of the tools in the next week or two. Namely do they alert on our scripts or on the root cause of the vulnerability? Can they be circumvented? Do they stop legitimate, required communication? The whitepaper and tools are available for free with registration.
Chevron has gone public and announced Stuxnet infected their networks. The WSJ article doesn’t mention it, but I assume they mean it infected one or more computers running WinCC. This would be quite an admission because it would mean that it had reached a SCADA or DCS. Remember that Aramco claims Shamoon did not affect operations. I’m sure loyal blog readers know that the Stuxnet fingerprinting would result in Chevron’s PLCs being unaffected.
Sergey Gordeychik of Positive Technologies announced that they had 50+ vulnerabilities in WinCC and other Siemens software (see Worth Reading below.) He also announced two new tools. PLCscan scans s7comm and Modbus TCP PLC’s and controllers. The page shows example output. WinCC Harvester is a Metasploit module that uses “WinCC MS SQL access to harvest sensitive information (users, roles, PLCs) from the database.
Lumension purchased CoreTrace, the makers of Bouncer Host IPS / application whitelisting. CoreTrace had been actively pursuing the ICS space and was integrated with Emerson Ovation and Industrial Defender. Industrial Defender had actually bought the rights to the code for integration with their product suite. While CoreTrace was an early mover in the ICS application whitelisting efforts, McAfee has had more partner integration wins over the last 24 months. No word on the price, but the press release mentions 130 CoreTrace customers and 15 of the 35 employees will be retained.
Two data points on smart meters. PECO is replacing 186,000 Sensus smart meters with Landis+Gyr (Toshiba). Evidently the Sensus meters got hot and actually were believed to cause some house fires. Itron is predicting flat to slightly negative smart meter sales through mid-2013, and Zack Pollock thinks this may be the start of a trend.
The UK GCHQ/CESG has created a Cyber Incident Response team that will involve private industry in incident response. BAE, Cassidian, Context Information Security and Mandiant were the first companies named in the program. It’s unclear whether these companies are donating their services or are being contracted by the UK Government.
The ToorCon 14 badge is fantastic. It’s a RfCat board, check out the picture.
Tweet of the Week
Substitute Siemens for LinkedIn
Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
- NESCO coverage of Verizon’s IOCExtractor Tool
- Jeremy Kirk’s Siemens Software Targeted By Stuxnet Still Full of Holes
- Bloomberg Coke Gets Hacked and Doesn’t Tell Anyone
- Digital Bond’s ICS Security Tools #3
Critical Intelligence’s ICS Security Event Calendar Updates
- EnergySec Webinar Taking Defense in Depth to the Next Level, Nov 13
- Justin Searle’s Pentesting Smart Grid and SCADA, Dec 3-4 in Abu Dhabi, UAE
- SMI’s European Smart Grid and SCADA Security, Mar 11-12 in London, UK
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by Luigi Lombardi