ICS-CERT Monthly Monitor

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the latest edition of their ICS security newsletter, the ICS-CERT Monthly Monitor; which this issue covers two months. A number of interesting topics are covered in this issue, including Spear Phishing, Black Hat 2011, the Siemens fiasco and preserving cyber forensics data.

Spear Phishing

A nice article on Spear Phishing notes that ICS-CERT has been responding to an “increasing number of spear phishing attacks”. One would assume that when ICS-CERT got involved it was a successful spear phishing attack where something ‘malicious’ was noted on the attacked network. It is interesting to note in the article (mentioned in passing as it were) that the apparent response to a successful spear phishing attack involves shutting down the corporate email system “until the extent of the problem [is] known and mitigation steps [are] taken”.

Black Hat Briefings

The brief piece on the Black Hat Briefings conference provides a brief bit of information from the conference that I haven’t seen mentioned elsewhere; the description of an airborne hacker tool. The wireless aerial survey platform (WASP) is apparently a remotely piloted vehicle that would fly over an installation trying to detect and intercept Wi-Fi and cell transmissions. With the increased use of wireless communications between control systems components, this could provide another route of access into the control system network. Of course, high-risk chemical facilities should already be concerned about the use of RPVs for surveillance or even attacks, so this is just one more reason to acquire sophisticated anti-aircraft attack capabilities (just a little sarcasm).

Siemens

The brief piece on the Siemens issues provides essentially a summary of their summarizing advisory that I have previously addressed. I would like to suggest that an alternative analysis of the ICS-CERT approach to the Siemens issues can be found at Ralph Langner’s recent blog posting on the issue. Anyone who has read Ralph’s stuff on Stuxnet will not be surprised that he has been less than enamored with the response of ICS-CERT on much of anything to do with Siemens.

Cyber Forensics

There is a relatively lengthy piece on cyber forensics and the importance of planning for how to respond to a cyber incident. Most facilities will be focusing on getting their systems back into the normal functional mode when something goes wrong with their system (either from an attack, human error, or just a glitch piece of equipment/software). Cyber forensics is used to determine why and how a problem occurred and is important in figuring out how to limit the current problem and prevent it from happening again. This piece is well worth the read and further exploration. Some of the techniques suggested for preserving forensics data would normally fly in the face of standard procedures for quickly restoring functionality, but with more cyber-attacks occurring, facilities really need to consider these techniques as a method of discovering the true extent of what happened.

Other Information

There is also a nice text box describing the wonders and benefits of ‘coordinated vulnerability disclosure’. ICS-CERT has a vested interest in the CVD process, so they can be expected to support it. It seems to me that when the process works (ie: the vendor responds promptly and puts forth a reasonable effort to fix the problem) this system provides the most effective method for identifying and responding to vulnerabilities. When there is no response, or an inadequate response, then alternate methods of communication need to be used.

Finally, the Monitor closes with two pages of ‘Open Source Situational Awareness Highlights’; a listing or articles and blog posts of significance to the control system security community. While certainly not an exhaustive bibliography, it certainly provides a pretty good reading list. I was impressed that there are a couple of blog posts included in their list (none of mine, alas). I would have been more impressed if they had included a listing of some posts by people like Ralph Langner or Dale Peterson that questioned the various responses of ICS-CERT to cyber security issues, but that would be expecting a bit more objectivity than is probably reasonable.

In short, this is a fairly impressive newsletter by a government agency that is small but important cornerstone of the Federal response to cyber security issues in industrial control systems. Everyone in the ICS security community should read it.