ICS-CERT Publishes Advisory and Monitor

This morning the DHS ICS-CERT published an advisory for OSIsoft PI AF as well as the March-April Monitor.

OSIsoft Advisory

This advisory describes a a default permissions vulnerability in PI AF product. This vulnerability was self-reported. Since this is described as more of an installation issue rather than a software issue, OSIsoft is recommending making adjustments to “PI SQL (AF) Trusted Users” instead of making any changes to the programming.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to execute SQL statements that result in tampering, information disclosure, repudiation, elevation of privilege, and denial of service.

March-April Monitor

This latest version of the Monitor features:

∙ A water sector incident investigation;

∙ A report on assessments conducted by ICS-CERT;

∙ Situational awareness;

∙ ICS-CERT news; and

∙ A variety of standard Monitor reports.

The interesting thing about the water facility incident was that while it initially looked like a malware attack, it wasn’t. The whole incident was an installation error. While there are certainly lessons to be learned about having an installation done properly, I don’t really think that it is necessarily important enough to be mentioned here. On the other hand, that may have been the most interesting incident during this two month period; we can only hope.

The brief report on the cybersecurity assessments done by ICS-CERT indicates that they spent most of their time in the water sector. Of the 21 assessments done during the two month period, fourteen were in water and waste water facilities.

The situational awareness section of the Monitor looks at multi-factor authentication. It is an interesting page and a half read.

The news section has brief articles on the upcoming spring meeting of ICSJWG, ICS-CERT regional training and CSET 6.2. This is the second time (the first was the year in review publication) that ICS-CERT has featured v6.2 of the CSET but the CSET web page still mentions nothing about the latest and greatest version. Maybe it’s not so great after all.