The US National Institute of Standards and Technology (NIST) is looking to award contracts to build one or more Reconfigurable Control System Cyber Security Testbeds, see diagram below. This could be useful for basic education, that a lot of University programs are calling research, on what ICS is and ICSsec 101.
Read Adam Crain’s article this week on a specific type of attack on DNP3 master stations. He points out it is not fuzzing, just an unexpected use of the protocol that causes a lot of crashes/denial of service. “With a vulnerability like this, however, you can take down the entire master and all the remote sessions with a single packet.” The DNP3 Technical Committee has put out “Technical Bulletin TB2014-006, Clarification of the Use of Variation 0 with Object Groups 110-113”. Does that sound like a call to arms on a security issue? You may remember that the DNP3 Technical Committee previously stressed that the Crain/Sistrunk vulns were not related to the DNP3 specification.
NIST will hold another workshop on the Cybersecurity Framework, Oct 29-30 in Tampa. “The purpose of this workshop is to gather input to help NIST understand stakeholder awareness of, and initial experiences with, the framework and related activities to support its use.” We have been pleasantly surprised by our experience with the CSF. Not the document itself, but the conversations and action it has spawned. This is not due to the roll out; more in spite of the roll out and a recognition of need.
UPDATE: Moved from comments to main post
Extra ICS news from France last week…
- Cybersecurity for Industrial Control Systems – Classification Method and Key Measures
- Cybersecurity for Industrial Control Systems – Detailed Measures
At first glance just another framework but the focus on measures with some prescriptiveness seems this framework is worthy of closer inspection.