Late yesterday afternoon the folks at DHS ICS-CERT published their March 2012 ICS-CERT Monthly Monitor and an update to a previously issued Siemens system Advisory. The Monthly Monitor provides some information on an interesting phishing attack on an electric utility and the Siemens update addresses some mitigation issues.
ICS-CERT is apparently going to be making it a common feature on their Monthly Monitor to describe an interesting new type of attack that their team has responded to in the previous month. This month it deals with a telephone phishing attack. The two attacks reported to ICS-CERT were unsuccessful due to an alert individual on the receiving end. Reporting (and publicizing) unsuccessful attacks is important because it helps other organizations learn how to avoid the attack.
The other thing about this type of attack is that it would be unusual for it to be directed at just one or two organizations. It will be interesting to see if other electrical distribution organizations were affect by a similar attack. It would also be nice to know if ICS-CERT pushed this information directly to other organizations in the industry.
The ‘Situational Focus’ section of the Monitor has a good discussion of system auditing and logging and another on the role of fusion centers. There is also a helpful description of their ICS Advanced Training course.
As is usual this is an issue well worth reading and circulating.
The Siemens advisory update is more than a little confusing. This update references a ‘previous’ advisory from back in December. But that advisory has a different number than the current advisory and the vulnerability that is specifically addressed with new information is not found in that original advisory. What happened is that ICS-CERT updated that December advisory in January with new vulnerabilities. Readers might remember that the second advisory provided information on eleven separate vulnerabilities with mitigation measures for some but not all of the vulnerabilities.
This version provides a minor change to the mitigation measures for the telnet daemon. Where the second advisory noted that: “Users have the option of disabling the telnet function on SIMATIC panels when telnet is not actively being used.” The new version is a tad bit more active in its recommendation: “Siemens recommends disabling the telnet function on SIMATIC panels when telnet is not actively being used.”
I pointed out in my posting on the second advisory that ICS-CERT specifically noted that no one had verified the Siemens mitigation measures. This version reports that ICS-CERT has tested two of the service packs identified in the Siemens information and that they resolve the five of the eleven reported vulnerabilities that were actually patched. To address the remaining vulnerabilities the Advisory notes:
“The remaining vulnerabilities are addressed in documentation and a new FAQ entry on Siemens website. If unable to implement these changes, product users should contact their integrator or Siemens product support for assistance.”
I just hope that Siemens is pushing this information to their customers. I would bet that the vast majority of owners never see the ICS-CERT web site or blogs like this one.