Today the DHS ICS-CERT published a control system security
advisory for a product from Lynxspring. They also established a new web page
and published two documents related to cybersecurity for internet-of-thing (IoT)
devices.
Lynxspring Advisory
This advisory
describes multiple vulnerabilities in the Lynxspring BAS Bridge application.
The vulnerabilities were reported by Maxim Rupp. Lynxspring reports that the
BAS Bridge has been discontinued and recommends that owners upgrade to the Onyxx
Bridge product.
The reported vulnerabilities are:
• Permissions, privileges and
access controls - CVE-2016-8357;
• Missing authentication for
critical function - CVE-2016-8361;
• Insufficiently protected
credentials - CVE-2016-8378; and
• Cross-site request forgery - CVE-2016-8369.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerabilities to change permissions and access controls and
gain access to the system.
IOT Security
The new IOT web
page provides links to two new IoT security publications:
• IOT
Fact Sheet; and
The IoT security discussion is based upon six principles:
• Incorporate Security at the
Design Phase;
• Advance Security Updates and
Vulnerability Management;
• Build on Proven Security
Practices;
• Prioritize Security Measures
According to Potential Impact;
• Promote Transparency across the
IoT; and
• Connect Carefully and Deliberately
The Fact Sheet briefly describes these principles and the
Strategy document fleshes out the discussion. Nothing really new in the
discussion, but it is all brought together into a single document. The Strategy
is written at a slightly more technical level than most recent ICS-CERT
documents, directed more at CIO’s and security managers than CEO’s. It also
provides a fairly diverse set of links in the Guidance and Additional Resources
Appendix (I was especially pleased to see links to two documents from I Am The
Cavalry (Five Star Automotive Cyber
Safety Framework and Hippocratic
Oath for Connected Medical Devices).
This discussion addresses the technical issues, but only
briefly touches on the underlying problem of the wide diversity of IoT devices,
vendors and users. Trying to get all of the parties to understand the state of
the problem and the necessity of taking care of the problem cannot be
overlooked in any discussion of IoT security. One area of that problem that
receives very little attention in these documents is how to deal with the
currently installed base (and devices already in the supply chain) of IoT
devices that meet none of the principles discussed in the document.
To be fair to ICS-CERT these problems are more political and
sociological than technical. It would have been nice, however, for ICS-CERT to
at least identified these problems in these documents.
Posts
No comments:
Post a Comment