Today the folks at ICS-CERT published their last Monthly
Monitor for 2012. Actually still calling it a “Monthly” is just a little
misleading because it covers the months of October, November and December.
ICS-CERT Responses
Once again we see another report of an ICS-CERT away team
investigation. This time it concerns two SCADA engineering workstations that
were infected with “sophisticated malware” via an infected USB drive. It’s a
nice discussion of how to go about disinfecting an infected system without
appropriate backups. Unfortunately (or fortunately depending on your point of
view), it appears that the only thing ICS related was the primary use of the
workstations. The name of the malware is not mentioned, but there was no real
impact or infection of the SCADA system.
A briefer second piece describes the infection of some
computers on the ‘control system network’ with some unidentified ‘crimeware’
again via an infected USB drive. Again, the location of the infection seems to
be the only thing of ICS-CERT interest.
Of course, the routine use of USB drives in both cases
served at the method of infection. That serves as an educational point, with
the point being made that:
“ICS-CERT continues to emphasize that owners and operators
of critical infrastructure should develop and implement baseline security
policies for maintaining up-to-date antivirus definitions, managing system
patching, and governing the use of removable media.” (Pg 2)
A second article provides a brief summary of the ICS-CERT
operational responses to cyber incidents in FY 2012. They report a total of 198
cyber-incidents reported by industry. Again the only actual ICS related
incident reported was the ‘hacked water system in Illinois’ that wasn’t hacked.
Other Information
There is an interesting discussion of the CVSS Score that is
reported in each ICS-CERT Advisory. It explains what the score means and how it
is determined.
There is also a nice description of Project Shine, a result
of a SHODAN investigation initiated by by Bob Radvanovsky and Jake Brodsky.
They reported over 460,000 IP addresses of SCADA systems that appeared to be
internet facing. Efforts are being made to identify and contact the owners of
the systems to warn them of their exposure. ICS-CERT is concentrating on those
critical infrastructure systems identified.
There is also a brief discussion of the continuing ICS-CERT
response to the apparent coordinated attack on oil and natural gas pipeline
operators. Still no information about direct involvement of control systems,
though this piece does note that many “of these incidents targeted information
pertaining to the ICS/SCADA environment, including data that could facilitate
remote access and unauthorized operations”. (pg 4) This has also led to an
increased out-reach effort by ICS-CERT to explain the ICS vulnerabilities
present in critical infrastructure.
There is also a nice summary of the vulnerabilities reported
in ICS-CERT advisories over FY 2012. Of the 177 different vulnerabilities
reported, the largest number (44) were buffer overflow vulnerabilities with
input validation vulnerabilities placing a distant second (18 instances).
Finally there is a brief summary of the Industrial Control
Systems Joint Working Group (ICSJWG) 2012 Fall Meeting.
Oh, one final note; as usual the Monitor closes out with a
listing of recent coordinated disclosures and a list of researchers currently
working with ICS-CERT on disclosures. While our friend Luigi is mentioned on
the first list on two separate vulnerability notices, he doesn’t make the final
‘working with list’. Could be his new company formed to sell 0-day
vulnerabilities puts him outside of the coordinated disclosure network.
Posts
No comments:
Post a Comment