This afternoon the DHS ICS-CERT published an update of an
advisory on GE multilink switches and a new report on cyber-physical security
issues from the DHS Office of Cyber and Infrastructure Analysis (DHS/OCIA).
GE Update
● Resource
consumption vulnerability - CVE-2014-5418;
and
● Hard-coded
key - CVE-2014-5419
● Cross-site
scripting - CVE-2015-3976
(NEW)
Normally, I would have expected ICS-CERT to issue a new
advisory for this vulnerability. Apparently, however, the firmware update that
is now available fixes all three vulnerabilities so doing this as an update
makes a certain amount of sense.
The new version of the advisory did, unfortunately (IMO)
remove the mitigation measure from the previous version. It still remains
useful for users that for some reason do not want to do a firmware update at
this time. Fortunately it still remains (in somewhat more detail than
previously supplied by ICS-CERT) in the GE
Product Bulletin.
NOTE: ICS-CERT is still not listing these updates on their landing page.
Fortunately they
are tweeting about these updates as they are released. I suppose it could
be a subtle ploy to get people to follow them on TWITTER® (@ICS-CERT). If so, it should be
encouraged.
Smart Cities Report
This report from DHS/OCIA looks at some of the potential
security risks associated with the increasing automation and interconnection of
public services. I have not had time to do much more than peruse the Executive
Summary, but it looks like there may be some interesting insights included in
this report.
This is not an exhaustive look at all of the possible combinations
of public services that are being linked into the internet of things under the
rubric of Smart Cities. The graphic below (from page 3) shows the technologies
upon which the report will focus.
Scope of Cyber-Physical
Infrastructure Risk Report
I will probably have a more detailed look at this report in
future blog posts.
Posts
No comments:
Post a Comment