Wednesday, August 3, 2011

ICS Vulnerability Notice from NERC

Thanks to Alan Rivaldo from the Texas Public Utility Commission for his message on the SCADASEC list serve that pointed those of us who don’t follow the energy sector cyber issues at the latest ‘Industry Advisory’ about a cyber-vulnerability issue that affects some embedded microprocessors that have “cellular signal reception capability”.

The ES-ISAC (Electricity Sector Information Sharing and Analysis Center) shared a report by an unnamed security researcher who had “discovered a potentially broad vulnerability where cellular messaging is used to attack embedded systems architecture control networks”. According to the advisory: 

“Clear text messaging protocols can be intercepted and reverse engineered to enable an attacker to inject commands or implement attacks on critical systems which rely on embedded microprocessors.”

Since no specific brand or type of embedded systems are identified in this advisory, it would appear that the security researcher and ES-ISAC assume that a wide variety of devices from a number of different vendors could be affected by this vulnerability.

While this vulnerability is undoubtedly of concern to the power generation/transmission community, I would suspect that the wider industrial control system community would have similar concerns about this vulnerability in their systems. I would like to assume that whomever received this report at ES-ISAC would have encouraged the unnamed researcher to contact the ICS-CERT to allow the information to be shared with the wider ICS community.

No comments:

/* Use this with templates/template-twocol.html */