Today the DHS ICS-CERT published a new advisory for a variety of Schneider Electric applications, posted a year-end review for 2013 and provided belated links to articles about DHS support of the critical infrastructure implementation of the Cybersecurity Framework.
This advisory addresses the exception handling vulnerability that was discovered by Carsten Eiram in CitecSCADA. Schneider subsequently discovered the vulnerability in other applications. Schneider has produced patches for that affected applications and the CitecSCADA application patch was validated by Eiram. The patches also apparently mitigate other undisclosed vulnerabilities in those applications. This advisory was originally released on the US-CERT secure portal.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute a DoS attack that would require a system re-start for recovery.
According to the Schneider security page the code for this vulnerability was included in the latest security patch (December 16, 2013) for these applications. That vulnerability and its updates were not mentioned by ICS-CERT. The OSVDB site lists two potential vulnerabilities (here and here) that might fit that bill, along with three others (here, here and here) that were not reported by ICS-CERT since the first of the year.
This year-end review is a nice color brochure outlining the activities of ICS-CERT; one that any commercial activity would be proud of seeing as part of their Annual Report. It outlines any number of interesting statistics like:
• 14 briefings were given to over 750 attendees in various cities throughout the country to assist asset owners and operators in detecting intrusions and developing mitigation strategies (pg 4);
• Nearly 700 infrastructure professionals and law enforcement agents were trained including 11 Advanced Training Sessions to 442 participants (pg 6);
• Over 5,000 Cyber Security Evaluation Tools (CSETs) were distributed and downloaded (pg 7);
ICS-CERT received and responded to 257 incidents as voluntarily reported by asset owners and industry partners (pg 8);
• The ICS-CERT Vulnerability Team received 187 reports from researchers and vendors that required coordination, testing, analysis, and the publication of information products (pg 9);
ICS-CERT’s Advanced Analytical Laboratory analyzed data from 73 incidents. Phishing or spear-phishing attacks comprised 21 of the 73. Data from 11 incidents were related to intrusion attempts by an emerging cyber threat actor as part of a larger campaign involving more victims (pg 9);
• ICS-CERT conducted 72 onsite cybersecurity assessments across the US critical infrastructure sectors (pg 12);
Interestingly, according to a pie chart on page 13 there were no ICS-CERT incident responses involving the chemical sector.
BTW: A comparison chart for the last three years provided on page 16 shows that in most metrics reported (8 of 11) ICS-CERT performance was down from previous years.
Oh yes: There may have been actual control system attacks investigated by ICS-CERT last year (it is implied anyway on page 8), but no even general information is provided. Who really needs to know that?
There are two links on the ICS-CERT web page to articles about the DHS Support for the recently published Cybersecurity Framework (CSF). Those articles are:
It is odd that the DHS Critical Infrastructure Cyber Community Voluntary Program features ICS-CERT in a number of places as a go-to agency for helping businesses getting started, yet that page is not listed on the ICS-CERT site nor is there any specific information on the ICS-CERT site explaining their support for this ‘vital’ DHS support program. I’m not sure if this says more about the DHS effort in general or the ICS-CERT participation specifically.