Today the folks at ICS-CERT published their last Monthly Monitor for 2012. Actually still calling it a “Monthly” is just a little misleading because it covers the months of October, November and December.
Once again we see another report of an ICS-CERT away team investigation. This time it concerns two SCADA engineering workstations that were infected with “sophisticated malware” via an infected USB drive. It’s a nice discussion of how to go about disinfecting an infected system without appropriate backups. Unfortunately (or fortunately depending on your point of view), it appears that the only thing ICS related was the primary use of the workstations. The name of the malware is not mentioned, but there was no real impact or infection of the SCADA system.
A briefer second piece describes the infection of some computers on the ‘control system network’ with some unidentified ‘crimeware’ again via an infected USB drive. Again, the location of the infection seems to be the only thing of ICS-CERT interest.
Of course, the routine use of USB drives in both cases served at the method of infection. That serves as an educational point, with the point being made that:
“ICS-CERT continues to emphasize that owners and operators of critical infrastructure should develop and implement baseline security policies for maintaining up-to-date antivirus definitions, managing system patching, and governing the use of removable media.” (Pg 2)
A second article provides a brief summary of the ICS-CERT operational responses to cyber incidents in FY 2012. They report a total of 198 cyber-incidents reported by industry. Again the only actual ICS related incident reported was the ‘hacked water system in Illinois’ that wasn’t hacked.
There is an interesting discussion of the CVSS Score that is reported in each ICS-CERT Advisory. It explains what the score means and how it is determined.
There is also a nice description of Project Shine, a result of a SHODAN investigation initiated by by Bob Radvanovsky and Jake Brodsky. They reported over 460,000 IP addresses of SCADA systems that appeared to be internet facing. Efforts are being made to identify and contact the owners of the systems to warn them of their exposure. ICS-CERT is concentrating on those critical infrastructure systems identified.
There is also a brief discussion of the continuing ICS-CERT response to the apparent coordinated attack on oil and natural gas pipeline operators. Still no information about direct involvement of control systems, though this piece does note that many “of these incidents targeted information pertaining to the ICS/SCADA environment, including data that could facilitate remote access and unauthorized operations”. (pg 4) This has also led to an increased out-reach effort by ICS-CERT to explain the ICS vulnerabilities present in critical infrastructure.
There is also a nice summary of the vulnerabilities reported in ICS-CERT advisories over FY 2012. Of the 177 different vulnerabilities reported, the largest number (44) were buffer overflow vulnerabilities with input validation vulnerabilities placing a distant second (18 instances).
Finally there is a brief summary of the Industrial Control Systems Joint Working Group (ICSJWG) 2012 Fall Meeting.
Oh, one final note; as usual the Monitor closes out with a listing of recent coordinated disclosures and a list of researchers currently working with ICS-CERT on disclosures. While our friend Luigi is mentioned on the first list on two separate vulnerability notices, he doesn’t make the final ‘working with list’. Could be his new company formed to sell 0-day vulnerabilities puts him outside of the coordinated disclosure network.