SCADA Security Friday

Some of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC. Others are encouraged to join and come along, but it’s the founding partners’ game. Expect Siemens and a couple of GE’s other big competitors to do something similar if they have not already. BTW, there is a Security Working Committee in the IIC.

Joe Weiss, who I like to call the Paul Revere of the ICS world, cancelled WeissCon 2014 due to his consulting workload. Joe’s event was the first ICSsec event and drew a good crowd of asset owners. I had heard good things about the last two WeissCon, a bit of revival, so I’m sure this will disappoint many. Joe says it will be back in 2015.

We submitted our BACnet-discover-enumerate.nse for inclusion in Nmap so you wouldn’t need to download and install our script separately. Some minor code changes were required and are in process to meet the Nmap style and format. We will let you know when it happens.

Thomas Brandstetter was the face of Siemens CERT, most famously at BlackHat during the Beresford vulns. About a year ago he left Siemens and founded Limes Security in Austria. You can add Limes Security to the list of ICSsec training options. They have European-based courses for Managers, Engineers and more technical security courses for those who want to assess DCS and SCADA systems.

Even more ICSsec training … Cimation has opened CimationUniversity.com to provide online training courses. There are four courses ranging in price from $300 – 1,500.

ICS security events in Latin America are still rare, so take note of the CFP for the 1st SCADA Security Conference LATAM in Rio de Janeiro, Nov 5-7. The web site is available in English and Portuguese.

The US Government Accountability Office (GAO) issued a report entitled: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach. The first bullet in the summary is humorous and sad. GAO points out that they identified information sharing as key in 2003 and problems with DHS information sharing in 2010. And they continue to beat that information sharing drum again. I can’t take US Government information sharing seriously until they say out loud and repeatedly critical infrastructure ICS applications, devices and protocols are insecure by design and need to be upgraded or replaced now. Most of what ICS-CERT/DHS shares is noise to show they are doing something.

Security consulting firms take not that Trustwave was included in a lawsuit related to the Target breach. “Trustwave scanned Target’s computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target’s computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.”

Image TooFarNorth