Today the DHS ICS-CERT published a new advisory for a
variety of Schneider Electric applications, posted a year-end review for 2013
and provided belated links to articles about DHS support of the critical
infrastructure implementation of the Cybersecurity Framework.
Schneider Advisory
This advisory
addresses the exception handling vulnerability that was discovered by Carsten
Eiram in CitecSCADA. Schneider subsequently discovered the vulnerability in
other applications. Schneider has produced patches for that affected
applications and the CitecSCADA application patch was validated by Eiram. The
patches also apparently mitigate other undisclosed vulnerabilities in those
applications. This advisory was originally released on the US-CERT secure
portal.
ICS-CERT reports that a relatively low skilled attacker could
remotely exploit this vulnerability to execute a DoS attack that would require
a system re-start for recovery.
According to the Schneider
security page the code for this vulnerability was included in the latest
security patch (December 16, 2013) for these applications. That vulnerability
and its updates were not mentioned by ICS-CERT. The OSVDB site lists two
potential vulnerabilities (here
and here) that might fit that
bill, along with three others (here,
here and here) that were not reported by
ICS-CERT since the first of the year.
2013 Review
This year-end
review is a nice color brochure outlining the activities of ICS-CERT; one
that any commercial activity would be proud of seeing as part of their Annual
Report. It outlines any number of interesting statistics like:
• 14 briefings were given to over 750 attendees in various cities
throughout the country to assist asset owners and operators in detecting intrusions
and developing mitigation strategies (pg 4);
• Nearly 700 infrastructure professionals and law enforcement
agents were trained including 11 Advanced Training Sessions to 442 participants
(pg 6);
• Over 5,000 Cyber Security Evaluation Tools (CSETs) were distributed
and downloaded (pg 7);
ICS-CERT received and responded to 257
incidents as voluntarily reported by asset owners and industry partners (pg 8);
• The ICS-CERT Vulnerability Team
received 187 reports from researchers and vendors
that required coordination, testing, analysis, and the publication of
information products (pg 9);
ICS-CERT’s Advanced Analytical
Laboratory analyzed data from 73 incidents. Phishing or spear-phishing attacks
comprised 21 of the 73. Data from 11 incidents were related to intrusion attempts
by an emerging cyber threat actor as part of a larger campaign involving more
victims (pg 9);
• ICS-CERT conducted 72 onsite cybersecurity assessments across the
US critical infrastructure sectors (pg 12);
Interestingly, according to a pie chart on page 13 there
were no ICS-CERT incident responses involving the chemical sector.
BTW: A comparison chart for the last three years provided on
page 16 shows that in most metrics reported (8 of 11) ICS-CERT performance was
down from previous years.
Oh yes: There may have been actual control system attacks
investigated by ICS-CERT last year (it is implied anyway on page 8), but no even general information is
provided. Who really needs to know that?
CSF Support
There are two links on the ICS-CERT web
page to articles about the DHS Support for the recently published
Cybersecurity Framework (CSF). Those articles are:
It is odd that the DHS Critical Infrastructure Cyber
Community Voluntary Program features ICS-CERT in a number of places as a go-to
agency for helping businesses getting started, yet that page
is not listed on the ICS-CERT site nor is there any specific information on the
ICS-CERT site explaining their support for this ‘vital’ DHS support program. I’m
not sure if this says more about the DHS effort in general or the ICS-CERT
participation specifically.
Posts
No comments:
Post a Comment