ICS-CERT Publishes Advisory and Monitor

This morning the DHS ICS-CERT published an advisory for OSIsoft PI AF as well as the March-April Monitor.

OSIsoft Advisory

This advisory describes a a default permissions vulnerability in PI AF product. This vulnerability was self-reported. Since this is described as more of an installation issue rather than a software issue, OSIsoft is recommending making adjustments to “PI SQL (AF) Trusted Users” instead of making any changes to the programming.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to execute SQL statements that result in tampering, information disclosure, repudiation, elevation of privilege, and denial of service.

March-April Monitor

This latest version of the Monitor features:

∙ A water sector incident investigation;

∙ A report on assessments conducted by ICS-CERT;

∙ Situational awareness;

∙ ICS-CERT news; and

∙ A variety of standard Monitor reports.

The interesting thing about the water facility incident was that while it initially looked like a malware attack, it wasn’t. The whole incident was an installation error. While there are certainly lessons to be learned about having an installation done properly, I don’t really think that it is necessarily important enough to be mentioned here. On the other hand, that may have been the most interesting incident during this two month period; we can only hope.

The brief report on the cybersecurity assessments done by ICS-CERT indicates that they spent most of their time in the water sector. Of the 21 assessments done during the two month period, fourteen were in water and waste water facilities.

The situational awareness section of the Monitor looks at multi-factor authentication. It is an interesting page and a half read.

The news section has brief articles on the upcoming spring meeting of ICSJWG, ICS-CERT regional training and CSET 6.2. This is the second time (the first was the year in review publication) that ICS-CERT has featured v6.2 of the CSET but the CSET web page still mentions nothing about the latest and greatest version. Maybe it’s not so great after all.

ICS-CERT Updates Advisory and Publishes Monitor

This afternoon the DHS ICS-CERT updated their advisory (published yesterday) for the Elipse EC advisory and published the latest Monitor that describes ICS-CERT response activities during the last five months (September 2014 thru February 2015).

Elipse Update

This update provides a link to a Carnegie Mellon CERT (CERT-CC) vulnerability note  on the base vulnerability found in the Telerik Analytics Monitor Library. That advisory provides more details about how the vulnerability functions.

It looks like CERT-CC note will be updated as other vendors are identified as having vulnerable systems based upon the same Telerik DLLs (csunsapi.dll, swift.dll, nfhwcrhk.dll, and surewarehook.dll); probably listed after they are fixed. It will be interesting to see if ICS-CERT will provide new advisories for each vendor’s fixes of the problem or if it will just depend on CERT-CC updating their note.

ICS-CERT Monitor

The latest Monitor provides some additional information about the fairly extensive ICS-CERT response activity that we have been hearing a lot of second hand information about over the last year or so. This Monitor provides a summary of response data for FY 2014 (which ended on September 30^th). As we should have been able to guess from news reports the largest category of affected industries was the Energy Sector.

We still don’t have any real description of the kinds of affects seen as a result of the attack and we don’t know how many of the attacks were successful. There is a list of the generic attack vectors; not much new here. The second largest was network scanning/probing at 22% and third was Spear Phishing attacks at 17% (you can’t tell this relative size from the poor graphics). What is kind of scary though is that ICS-CERT could not find the source of the attack in 38% of the cases. I hope (and believe) this is a reflection of poor forensics and abysmal system logs and not ICS-CERT’s capability to analyze control system attacks.

There is also a brief section here about the ICS-CERT outreach activity to industry. It mentions the two-hour Secret level briefing that was given 15 times across the country in December. I would have liked to have been able to see one of these (unlikely as my Secret clearance expired decades ago and forget about ‘need to know’), but I really doubt the efficacy of the briefings. I would expect that these were given to C-Level managers who could not then take them back to their ICS folks because of the lack of security clearances at the operational level. And forget about notes or handouts since very few organizations outside of the Defense Industrial Base have facilities cleared to store Secret documents.

There is a brief discussion about the ICS-CERT Cybersecurity Evaluation Tool (CSET). It does mention that version 6.2 was released in January. Unfortunately there is nothing about that on the ICS-CERT CSET web site or the CSET Fact Sheet (for some reason both are only accessible via the ICS-CERT page via the ‘Assessments’ link, the direct links do not work); neither mentions version numbers at all. There is, however, a series of YouTube® video tutorials about version 6.2, but they are not mentioned on the ICS-CERT site. The Monitor staff did promise to have more information about v 6.2 in the next issue.

Lots of other interesting stuff, but nothing worth discussing here. Read it for yourself; it’s free.

DHS Publishes ICS-CERT Monitor

Yesterday the DHS ICS-CERT published their now quarterly (formerly monthly) Monitor. This issue is important because it describes publicly for the first time the first really documented attacks (unsuccessful) on privately-owned control systems.

Pipeline Control System Attacks

We have been hearing about these pipeline attacks for some time now, but the article in the Monitor provides information about the extent of the attack without providing any sensitive details.

One of the more important pieces of information provided in the article was that the initial report to ICS-CERT of these attacks came from a single owner “about an increase in brute force attempts to access their process control network”. System logs identified 10 IP addresses associated with the attempted access. When those addresses were shared with other operators by ICS-CERT similar attempted attacks were found in additional facility systems logs and more IP addresses were identified. This, again, demonstrates the needs for maintaining and checking system logs.

The article also mentions, for the first time that I have seen, the existence of the ‘Control Systems Center’ on the US-CERT Secure Portal and notes that:

“ICS-CERT periodically releases alerts, advisories, and indicator bulletins via the Control Systems Compartment of the US-CERT Secure Portal that provides critical infrastructure constituents with information intended to be useful for network defense.”

We have seen some of these documents make their way to the ICS-CERT web page, but only after they have been available for a couple of weeks on the Portal. It seems to me that owners and operators of control systems owe it to themselves to ensure that they at least have representatives who can routine access and monitor this site for valuable information.

Outside Contributors

This issue marks the first time that the Monitor has included articles from outside contributors. Kyle Wilhoit from Trend Micro wrote “Your SCADA Devices Are Being Attacked” and Reid Wightman from IOActive wrote “Why Sanitize Excessed Equipment”.  Both short pieces provide valuable information. Inclusion of these outside contributors can only make the Monitor more helpful and maybe bring it back to a mostly monthly publication.

Other Offerings

There is a summary type article about the recent Verizon 2013 data breach report. For those that don’t have time to read the gritty details of that report, this is a good summary. ICS-CERT notes that they were one of the 19 global reporters of incident data that helped Verizon with that report.

There is a belated report on the introduction of CSET 5.0. There is still some good information, particularly about the changes that will probably be included in the next version. The article notes that customer feedback is one of the sources for new ideas that ICS-CERT is using trying to target in future versions. If you have ideas or comments contact the ICS-CERT folks at cset@hq.dhs.gov.

All of the standard features we have come to expect in the Monitor are still here. The list of security researchers that are currently working with ICS-CERT continues to grow. All of these people should be encouraged to continue to publicly disclose (preferable through a coordinated disclosure, IMHO) ICS vulnerabilities that they discover. As a community we need to develop some way to reward them for their efforts so that they don’t have to sell their research to the highest bidder that will probably keep the vulnerabilities quiet.