Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
3 Steps Towards Building Cyber Resilience Into Critical Infrastructure
Newest First  |  Oldest First  |  Threaded View
kwcharlie
50%
50%
kwcharlie,
User Rank: Apprentice
8/13/2016 | 7:18:26 PM
Very good Dana, thank you
But "pearls before swine" for IT; but people like Ralph Langner appreciate it.  I wish you good luck getting IT to not trample them.  But you know you're up against an IT/CEO community that thinks the balloon popping in the Zero Days movie was a good example of Stuxnet attacking a PLC, and those IT's who popped it didn't hide their face when they did it like the other's that did/said equally outrages things about ICS and Cyber Security in that movie but I digress. 

IMHO we are still very vulnerable to another Stuxnet type attack. Ukraine wasn't even close to it, they just tripped out their "Mark#/MFR" [I was GE too] type controls.  They didn't even try to auto close a generator breaker out of phase like the Aurora test; little hardware or capacity was destroyed in the Ukraine but it was tested on a real system [the Russian grid] like Stuxnet not some Matlab type simulation since it did trip the grid out.  Maybe a warning that next time they will disable the Sync Relays and allow real damage to the Ukrainian grid.

More recently: is anyone looking into the software in the "power-control module" that caused the Delta Air Server transformer fire? What better test bed for your new Stuxnet type worm imbedded in a bunch of server farm UPS Inverters/Controls than an airline where you could monitor the attack, and recovery, from any airport with a Delta terminal.  No need to go to centrifuges at Oak Ridge to test your controller code on the hardware like Stuxnet did. 

One of the few things Zero Days got right was the Iranians would have never known about Stuxnet if "they" didn't move/changed the attack up to destroying centrifuges from just making them just not work as good.  The movie got it VERY wrong about WHO those "they" were but that's another rant for someone like Langner who's above my pay grade around who did what about Stuxnet.  Did I mention that the Zero Days movie did a serious disservice to the ICS [or IACS as Ralph says to remind people, like USNUKE, that Automation systems protections are exposed too] community?  

I'm thinking what happened at Delta and SW airline servers could have been a test [or premature deployment] of an embedded worm as sophisticated as Stuxnet but is one of many other ICS reported incidents. How many are not reported?.  I wouldn't trust Delta's statement it was "when a critical power control module at a Delta data center malfunctioned, which caused a surge to the transformer and a loss of power" that's IT doing big time CYA for good reason with the redundancy they bought for their servers.

OK, I'm also thinking Occam's razor says the Delta fire was just an old UPS controller failure and the recovery was seriously delayed because poor advice/decisions by IT around Delta's server farm backup redundancy.  ICS's advice for triple redundancy was ignored I'm sure, it's only passenger inconveniences at one airline, not oil in the water.  IT says there's no need for any extensive ICS investigations here, IT has seen these UPS's fail all the time I'm told, we should have spent more money for more redundancy IT says, that's all.

If there is ever an attack advanced as Stuxnet on us we won't know it until it's too late if your advice isn't taken and we do more ICS forensics. The next Stuxnet attack won't be on a target as obscure as S7 control of inverters over 1000 Hz and I see no sign the Sheldon Cooper's of IT are any more likely to listen to us lowly Wolowitz Engineers, the Delta server farm backup transformer fire is just the most recent example. 

Did I mention Zero Days is a very misleading movie in this ramble?  
enhayden
50%
50%
enhayden,
User Rank: Strategist
8/3/2016 | 12:22:07 PM
Excellent Suggestions and Proper Order
Although a very brief article this is an excellent approach to developing resiliency in Critical Infrastructure.  Yes, you NEED to know your assets and you need to identify those assets by criticality.  Focus on the most critical assets for your plan.

Secondly, you NEED to have an incident response capability that is adequate and practiced.  It is kind of like moving into a house and the first thing you do is have a fire drill.  Why?  There's no fire...but, the chance of a fire can strike anytime (i.e., similar philosophy to "assumption of breach").

Thirdly, when you prepare your incident response, don't forget the external resources you need to have at hand.  Consider having a solid cyber security vendor at your fingertips what can respond to help immediately.  Don't forget outside counsel and the FBI/Secret Service for grave cyber attacks.  etc.

Again, well done....perfect order of priorities.

Thanks!

Ernie Hayden CISSP CEH GICSP(Gold) PSP
_thecre
100%
0%
_thecre,
User Rank: Apprentice
8/2/2016 | 1:57:59 PM
Cyber Reliance
Ms. Pasquali is right, America's infrastructure needs to be cyber reliant, our nation depends on it. For more information, please see the CircleID article, Achieving a Cyber-Reliant Infrastructure www.circleid[dot]com/posts/20120222_achieving_a_cyber_reliant_infrasructure/


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-44093
PUBLISHED: 2021-11-28
A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
CVE-2021-44094
PUBLISHED: 2021-11-28
ZrLog 2.2.2 has a remote command execution vulnerability at plugin download function, it could execute any JAR file
CVE-2021-4020
PUBLISHED: 2021-11-27
janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-23654
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
CVE-2021-43785
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...