ICS-CERT issued an Alert based on Terry McCorkle and Billy Rios work on the security of medical devices. Not surprisingly they found hard coded passwords in hundreds of devices. But what action are we to take with this Alert, and what is DHS doing beyond coordinating disclosure? We have seen insecure by design PLC and protocol generate alerts with alarming language, and then months and years pass with no further action. Maybe the FDA will take action and foster change where DHS has failed. (I was going to criticize Billy and Terry for not releasing the details, but it was ICS-CERT that chose this disclosure path). (And ioActive joined the party by disclosing the fact they found hard coded ftp credentials in an ICS product, full stop and weak.)
The third workshop on the US Government Cybersecurity Framework is July 10-12 in San Diego. NIST has published a skeleton of an agenda that does little more than give the beginning and ending times. They will likely provide a more detailed agenda as they did for the second workshop. However if this third workshop is going to make progress they should put out materials in advance for review and comment. And we are halfway to the deadline for the release of the first draft.
Tweet of the Week
[blackbirdpie id=”345540430785568768″]
Don’t forget to subscribe to this blog RSS feed and follow @digitalbond.com on twitter.
Worth Reading Articles
Nothing this week. Enjoy the weekend.
Critical Intelligence’s ICS Security Event Calendar Updates
Nothing New This Week
Critical Intelligence provides reports and other information products on Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.
Image by duncan