This afternoon the DHS ICS-CERT published an update of an advisory on GE multilink switches and a new report on cyber-physical security issues from the DHS Office of Cyber and Infrastructure Analysis (DHS/OCIA).
● Resource consumption vulnerability - CVE-2014-5418; and
● Hard-coded key - CVE-2014-5419
● Cross-site scripting - CVE-2015-3976 (NEW)
Normally, I would have expected ICS-CERT to issue a new advisory for this vulnerability. Apparently, however, the firmware update that is now available fixes all three vulnerabilities so doing this as an update makes a certain amount of sense.
The new version of the advisory did, unfortunately (IMO) remove the mitigation measure from the previous version. It still remains useful for users that for some reason do not want to do a firmware update at this time. Fortunately it still remains (in somewhat more detail than previously supplied by ICS-CERT) in the GE Product Bulletin.
NOTE: ICS-CERT is still not listing these updates on their landing page. Fortunately they are tweeting about these updates as they are released. I suppose it could be a subtle ploy to get people to follow them on TWITTER® (@ICS-CERT). If so, it should be encouraged.
Smart Cities Report
This report from DHS/OCIA looks at some of the potential security risks associated with the increasing automation and interconnection of public services. I have not had time to do much more than peruse the Executive Summary, but it looks like there may be some interesting insights included in this report.
This is not an exhaustive look at all of the possible combinations of public services that are being linked into the internet of things under the rubric of Smart Cities. The graphic below (from page 3) shows the technologies upon which the report will focus.
Scope of Cyber-Physical Infrastructure Risk Report
I will probably have a more detailed look at this report in future blog posts.