| (This article was originally published on the Findings From the Field blog.) McAfee has released a report describing a new Advanced Persistent Threat they dubbed "Night Dragon." The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated "remote administration" toolkits. |
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2011-02-15
| McAfee Documents “Night Dragon” APT |
2011-02-08
| Still No Report on Fly-Away Teams |
| (This article was originally published on the Findings From the Field blog.) The ICS-CERT has released a 7-page 2010 Year in Review summary. Prominent industrial security commentators Dale Peterson, PJ Coyle and Joel Langill have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for better indications of progress in the field of ICS security. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary. |
2011-02-01
| Compliance Managers Support Forensics |
| (This article was originally published on the Findings From the Field blog.) One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post Security Basics: Control System Forensics recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information. |
2011-01-27
| Security Basics: Control System Forensics |
| (This article was originally published on the Findings From the Field blog.) Most network administrators recognize the term computer forensics as the discipline of collecting evidence from computers for use in court. What may not be apparent is that computer forensics practices and technologies are also useful tools for general trouble-shooting. Forensic records are detailed enough to identify the cause of intrusions and other causes for litigation. As a result, these records are almost always detailed enough to identify causes of other kinds of problems, from performance anomalies to operator and administrator errors and omissions. But what kinds of real-time forensics are appropriate to deploy on industrial control systems? |
2011-01-19
| CIP-002-4 Is Coming |
| (This article was originally published on the Findings From the Field blog.) NERC announced earlier this month that long-debated changes to the NERC CIP-002 standard have passed ballot and are being submitted to the NERC board for approval. The changes introduce a "bright line rule" defining Critical Assets and Critical Cyber Assets. The rule eliminates the discretion NERC entities had in versions 1-3 to define their own risk-based assessment methodologies to identify Critical Assets. The changes should result in a much larger pool of assets being identified as critical and so subject to CIP standards. It remains to be seen though, whether utilities will take this opportunity to strengthen their security programs in light of recent advanced threats to control systems. |
2011-01-12
| Review: Tofinosecurity.com’s Stuxnet Central |
| (This article was originally published on the Findings From the Field blog.) The Byres Security Tofinosecurity.com site has a useful page called Stuxnet Central. Some of the materials on the page require that you become a member of the site to access them, but once you have a password, you have access to everything. On Stuxnet Central, Tofinosecurity.com has links to all of their own Stuxnet materials, including a handy list of links to all of the Stuxnet-related Practical SCADA Security blog entries. There are also links to a nice cross-section of external resources, everything from Microsoft's vulnerability reports, to representative articles from the popular press, to detailed technical discussions of the worm. If you are coming up to speed on Stuxnet, or if you have been following along and want to know there is nothing you missed, I can recommend Tofino's Stuxnet Central. If you've never looked through the page in detail, there are a couple of interesting surprises... |
2011-01-06
| Industrial Defender Updates Stuxnet Whitepaper |
| (This article was originally published on the Findings From the Field blog.) Industrial Defender has released their updated Stuxnet Whitepaper: The Stuxnet Worm and Defenses for Advanced Threats. You do need to register to access the paper, but once registered you will have access to all of Industrial Defender’s archived papers and webinars. The updated whitepaper assumes you understand control systems, and provides control systems engineers with the information needed to evaluate their security programs in light of advanced threats. The whitepaper uses the Stuxnet example to illustrate how products from the Industrial Defender security suite react to advanced threats. The paper concludes that given the apparent success of recent attacks, it is only reasonable to expect new advanced attacks in the months ahead. |
Subscribe to:
Posts (Atom)