ICS Security News

The news this week was dominated by the presentations at Black Hat, DefCon and Bsides Las Vegas.

Charlie Miller and Chris Valasek got the most attention for their hacking of a Toyota Prius and Ford Escape. Breaking, accelerating, moving the steering wheel, all from a computer physically connected to the car.  Of course the next step is to combine this with wireless access to the car. It even got a segment on the Today show.

Lucas Apa and Carlos Mario Penagos of IOActive showed how the proprietary encryption and key management schemes in three 900MHz 2.4 GHz radios could be broken. This would allow an attacker to listen or join the radio network. They didn’t mention the vendors or models, which is weak, but unless they put up fake pictures they are Prosoft’s RadioLinx, OleumTech, and Banner. The paper and presentation are available now. The paper is worth reading to see a variety ways to bust open a proprietary crypto system.

Eric Forner and Brian Meixell of Cimation did a SCADASEC 101 hacking presentation. Compromising server and workstations to cause loss of control and loss of view. Then taking advantage of insecure by design issues. It looks like they used our old friend the Koyo PLC for the demo. The paper and presentation are available now.

President Obama issued an Executive Order on Improving Chemical Facility Safety and Security. Better coordination, information sharing, best practices … Much like CFATS there is little ICS here.

At the end of last week The Guardian broke the story that researcher Flavio Garcia was banned by a UK court “from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis”. Is this incentive to be more stealthy in your conference paper’s title?

Late Entry:  A US Food and Drug Administration (FDA) procurement notices states “FDA is developing a cybersecurity laboratory in which a fuzz testing capability is to be integrated.” Looks like all the medical equipment hacking the last year got their attention.

Tweet of the Week

Gotta love the fact that the NERC CIP version 5 filing to FERC for consideration was 10,483 pages long…

— Patrick C Miller (@PatrickCMiller) August 1, 2013

Worth Reading Articles

Critical Intelligence’s ICS Security Event Calendar Updates

  • Oil & Gas ICS Cyber Security Forum, Oct 7-10 in Abu Dhabi, UAE
  • Cybersecurity for Utilities, Oct 8-9 in Washington DC
  • Oil & Gas Cybersecurity, Nov 25-26 in London, UK

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by chrisinplymouth