Last Thursday the DHS ICS-CERT published an update of a technical information paper (TIP) that they issued in May. They also issued an advisory for a vulnerability for a very common interface used by a wide variety of control systems. The odd thing about this advisory is that the vulnerability was not discovered by an independent security researcher; OSIsoft requested ISC-CERT to examine their product for vulnerabilities.
Back in May ICS-CERT published “Targeted Cyber Intrusion Detection and Mitigation Strategies” after the public disclosure of a number phishing attacks on gas pipeline companies. At the time I wrote that:
“As one would expect, there is nothing really new here, but it is a nice summary of the multiple levels of cyber protection that need to be employed to help reduce the effectiveness and impact of a targeted cyber-attack.”
This new addition to the TIP addresses the issue of credential management and it provides a wealth of information that ICS-CERT has not addressed previously. And the topic is important in defending a system that has been breached by a phishing attack.
The information provided in the new two and a half pages added to the TIP covers a wide range of topics about the ins and outs of protecting passwords and their hashes. That isn’t enough to go into a real useable level of detail, but ICS-CERT did provide a number of footnotes to additional information that will provide the level of detail necessary for most administrators.
I’m not sure why this data wasn’t included in the initial publication; the information is not new. Oh well, better late than never.
OSIsoft OPC Interface
This advisory for the PI OPC DA Interface addresses a buffer overflow vulnerability that would allow a medium skilled attacker to write data to OPC items collected by the PI OPD CA Interface. OSIsoft has made a software update available that corrects the problem.
As I noted earlier, this vulnerability was actually discovered by ICS-CERT. Since the discovery was made under contract with OSIsoft they would have retained the rights to allow the publication of the discovery. So I’ll add my kudos to those provided by Dale Peterson at DigitalBond to OSIsoft for their allowing the public disclosure of this vulnerability.
BTW: Dale has a much more detailed look at the importance of this vulnerability on his SCADA security blog. The whole discussion following his post is well worth reading.
NOTE: I made an error in my comment on Dale’s post; I got my days wrong because of a crazy schedule. I downloaded my copy of the OSIsoft Advisory on Thursday evening.