Earlier today, the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published updated information on another set of vulnerabilities identified in the mass vulnerability release by Luigi last month. Additionally, they published a link to a Control Systems Security Program (CSSP) publication dealing with the evaluation of cyber security in industrial control systems.
RealFlex RealWin Demo Advisory
Back in March, one of the SCADA systems identified by Luigi containing multiple vulnerabilities was the RealFlex Realwin SCADA product. In this advisory ICS-CERT confirms what a variety of cyber security commentors have already noted, the seven identified vulnerabilities exist only in a free demonstration version of the software not any of the systems controlling actual physical processes. In any case RealFlex has an updated version available for demonstrations.
Why be worried about vulnerabilities that only exist in the demonstration version of the ICS Software? One might expect these demo versions to show up on computers of personnel with actual access to the ICS on site. This still makes these vulnerabilities a danger to the ICS, because they provide a potential route of entry into the ICS. If an unpatched version found its way onto a lap top or desktop computer of one of the ICS supporting personnel it could provide a route for the injection of trojans, worms and other malicious software onto the ICS system.
Cyber Security Assessments of Industrial Control Systems
This new document produced by CSSP and the Centre for the Protection of National Infrastructure is designed to assist “asset owners to maximise the return on their investment when commissioning assessments of their ICSs” (Executive Summary). In short, this publication provides the novice to moderately experienced Control System Security Manager with the basic information necessary to evaluate and select the appropriate cyber security testing regime for their system.
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment