SCADA Security News

Apologies for the lack of posts and slow approval of comments this week. Most of the team was in a very low bandwidth environment.

Tenable Network Security, most famous for Nessus, has released Version 4.0 of the Passive Vulnerability Scanner (PVS). We have always been intrigued by this product for ICS because it is passive, but it was very difficult to use without Security Center. Version 4.0 added a client interface so it is now worth a try. And you can for free, get an evaluation version with support for up 16 IP addresses.

SANS/GIAC announced they are working with about 20 ICS companies and organizations to create a “body of knowledge” and related Global Industrial Cyber Security Professional (GICSP) certification. It is a good group of companies and individuals involved in this effort so I’d expect quality output. Of course the GICSP will likely have all the same pro’s and con’s of other security certifications.

I was surprised to read a quote from Michael Assante, SANS ICS Director. News to me that he had that role and seemingly a similar mission to the NBISE organization he created.

Metasploit released another ICS exploit module, this time for the GE Proficy Directory Traversal. Another ICS vuln or exploit usually isn’t noteworthy, but the quote from ICS outsider Tod Beardsley is. “I just feel like we see this kind of thing in SCADA-land over, and over, and over again, so I kind of feel like we’re getting something wrong, as a security industry, when it comes to educating these hardware vendors on how to conduct themselves when releasing software. What can we do better? How can we impart the last 10 years of secure coding know-how to the people that are providing critical infrastructure? I’m hopeful that if Metasploit modules attacking this stuff gets out there in the public, it’ll be a wake-up call. Is there a better way?”

This week saw the fourth workshop on the NIST Cybersecurity Framework in Dallas. I haven’t participated so any declarations on the value and impact of the effort, or related snark, would be uninformed. You can see what other participants are tweeting at #nistcsf.

Adam Crain, of recent DNP3 vulnerabilities fame, announced Aegis ICS. “A consortium of industrial control system (ICS) stakeholders dedicated to improving the robustness of standards-based protocol implementations.” It looks like they will create and provide tools for a yearly membership fee. The first tools will be released in Q1 2014.

To end the week on a light note, Robert M. Lee has written SCADA and Me: A Book for Children and Management. I pity Grace and all other children of ICS security professionals.

Tweet of the Week

I wonder if NIST realizes that (or intended that) the #NISTCSF has become (only) a defacto control catalogue

— Jack Whitsitt (@sintixerr) September 11, 2013

Worth Reading Articles

  • Navigant blog In Germany, A Yellow Light For Smart Meters

Critical Intelligence’s ICS Security Event Calendar Updates

Critical Intelligence provides reports and other information products on  Cyber Situational Awareness and Threat Intelligence services for Industrial Control System Owner/Operators, Vendors and Government stakeholders.

Image by chrisinplymouth