This afternoon the DHS ICS-CERT updated their advisory (published yesterday) for the Elipse EC advisory and published the latest Monitor that describes ICS-CERT response activities during the last five months (September 2014 thru February 2015).
This update provides a link to a Carnegie Mellon CERT (CERT-CC) vulnerability note on the base vulnerability found in the Telerik Analytics Monitor Library. That advisory provides more details about how the vulnerability functions.
It looks like CERT-CC note will be updated as other vendors are identified as having vulnerable systems based upon the same Telerik DLLs (csunsapi.dll, swift.dll, nfhwcrhk.dll, and surewarehook.dll); probably listed after they are fixed. It will be interesting to see if ICS-CERT will provide new advisories for each vendor’s fixes of the problem or if it will just depend on CERT-CC updating their note.
The latest Monitor provides some additional information about the fairly extensive ICS-CERT response activity that we have been hearing a lot of second hand information about over the last year or so. This Monitor provides a summary of response data for FY 2014 (which ended on September 30th). As we should have been able to guess from news reports the largest category of affected industries was the Energy Sector.
We still don’t have any real description of the kinds of affects seen as a result of the attack and we don’t know how many of the attacks were successful. There is a list of the generic attack vectors; not much new here. The second largest was network scanning/probing at 22% and third was Spear Phishing attacks at 17% (you can’t tell this relative size from the poor graphics). What is kind of scary though is that ICS-CERT could not find the source of the attack in 38% of the cases. I hope (and believe) this is a reflection of poor forensics and abysmal system logs and not ICS-CERT’s capability to analyze control system attacks.
There is also a brief section here about the ICS-CERT outreach activity to industry. It mentions the two-hour Secret level briefing that was given 15 times across the country in December. I would have liked to have been able to see one of these (unlikely as my Secret clearance expired decades ago and forget about ‘need to know’), but I really doubt the efficacy of the briefings. I would expect that these were given to C-Level managers who could not then take them back to their ICS folks because of the lack of security clearances at the operational level. And forget about notes or handouts since very few organizations outside of the Defense Industrial Base have facilities cleared to store Secret documents.
There is a brief discussion about the ICS-CERT Cybersecurity Evaluation Tool (CSET). It does mention that version 6.2 was released in January. Unfortunately there is nothing about that on the ICS-CERT CSET web site or the CSET Fact Sheet (for some reason both are only accessible via the ICS-CERT page via the ‘Assessments’ link, the direct links do not work); neither mentions version numbers at all. There is, however, a series of YouTube® video tutorials about version 6.2, but they are not mentioned on the ICS-CERT site. The Monitor staff did promise to have more information about v 6.2 in the next issue.
Lots of other interesting stuff, but nothing worth discussing here. Read it for yourself; it’s free.