Upload File

tutorial - us-cert

19
Tutorial Session 2c: Known ICS Vulnerabilities Sean McBride, MA Critical Intelligence August 11, 2009 Idaho Falls, Idaho

Upload: others

Post on 11-Feb-2022

7 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Tutorial - US-CERT

Tutorial

Session 2c: Known ICS Vulnerabilities

Sean McBride, MA Critical Intelligence

August 11, 2009Idaho Falls, Idaho

Page 2: Tutorial - US-CERT

Outline

What ICS vulnerabilities do we know about?–

NVD

OSVDB–

Security vendors

ICS vendorsIssues in public disclosure of vulnerability info–

Code re-use

Protection

Page 3: Tutorial - US-CERT

NVD

Page 4: Tutorial - US-CERT

NVD

National Vulnerability DatabaseI count 30Example flow: finder → US-CERT → CERT/CC → vendor → patch → MITRE → NIST NVD–

SISCO OSI stack

OPC Servers –

Cisco Physical Access Gateway

Art Manion

(of CERT/CC) sees trend away from neutral party disclosure

Presenter
Presentation Notes
Page 5: Tutorial - US-CERT

NVD

Q1 2009 saw 10 additions – most everQ2 2009 saw no additions

Page 6: Tutorial - US-CERT

OSVDB

Page 7: Tutorial - US-CERT

OSVDB

Open Source Vulnerability Database (OSVDB)I count NVD (30) + 3Researcher → mail list (e.g. FD, bugtraq) → community notices → submits to OSVDBExamples: Phoenix contact, Lantronix

Page 8: Tutorial - US-CERT

Security vendors and practitioners

Page 9: Tutorial - US-CERT

Security vendors and practitioners

Security vendors and practitioners1017Discovery (e.g. reverse engineering, fuzzing) Purchase (Tipping Point ZDI, iDefense VCP)Examples–

Wurldtech

(Delphi 1000+, 16 per device)

AlienVault–

Other posts from researchers

May not end up in DB

Page 10: Tutorial - US-CERT

Intentional leakage?

Page 11: Tutorial - US-CERT

ICS Vendors

Page 12: Tutorial - US-CERT

ICS Vendors

Product support announcementsLots of these, I can point to 5Description of how a vulnerability ends up in vendor hands–

internal testing

external information (e.g. Microsoft patches)Example: ICONICS

Page 13: Tutorial - US-CERT

ICONICS

Jan 2007

Page 14: Tutorial - US-CERT

ICONICS

Found by CERT/CC using software now open source in demo OPC ActiveX controlsSep 2008: researcher posts exploit to Milw0rmOct 2008: Blog reports Web-hosted exploitOct 2008: US-CERT issues CIIN-08-302-01–

Criticism repeated

Look deeper: vuln in DlgWrapper.dllJan 2007 common component update includes new DlgWrapper.dll

Page 15: Tutorial - US-CERT

ICONICS

Page 16: Tutorial - US-CERT

Issues in public disclosure

OEM/third party make it difficult to track down what is vulnerable Examples–

Microsoft announcements and vendor testing (Direct X early July 2009)

Rockwell Automation Ethernet Bridge Web server (Feb 2009)

ABB’s Markus Braendle: vendors in a hard spot–

LiveData

and NukePHP

Art Manion

CERT/CC says tracking possible

Page 17: Tutorial - US-CERT

Issues in public disclosure

Protection Examples–

AREVA -

signature

Snort signatures by Digital Bond–

OMRON Fins proprietary by Sourcefire

Threat of reverse engineeringSignature obfuscation?

Page 18: Tutorial - US-CERT

Conclusion

There are lots of ICS vulnerabilitiesValue in looking deeperSolutions–

Vendor policy:

Follow existing recommended practice for vuln

handling•

Security DLC•

Greater transparency

Asset owners•

Push back on vendors –

demand to know•

Share information•

Learn to act on vulnerability information

Page 19: Tutorial - US-CERT

Contact Information

Sean McBrideCritical IntelligenceSean.McBride@critical-intelligence.comwww.critical-intelligence.com


About Us Tutorial

ICS-CERT Monitor December 2011 - US-CERT

Mid Us Sv 2 Tutorial

INCIDENT RESPONSE ACTIVITY - ICS-CERT · ICS-CERT continued its cyber incident response and risk reduction mission in 2013 ... the Control Systems compartment of the US-CERT ... applications

Sketch Tutorial US

CRR Supplemental Resource Guide - US-CERT · Resilience Management Model (CERT ®-RMM). 3 The CERT-RMM is a maturity model for managing and improving operational resilience, developed

US-CERT Security Trends Report: 2012 in Retrospect · US-CERT Security Trends Report: 2012 in Retrospect US-CERT Security Trends Report: 2012 in Retrospect ... tool gathers from NetFlow

US MARINE CERT

JULY/AUGUST 2011 What is ICS-CERT?...The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) provides a . control system security focus in collaboration with US-CERT

CERT Program Administration Tutorial · 26/7/2013  · CERT Teams that are within a CERT Program. A CERT program conducts the training, organizes and recognizes the “teams,” and

US-CERT Year in Review...The United States Computer Emergency Response Team (US-CERT) is a 24x7 operational entity focused on collecting and analyzing data and disseminating the information

US v Davis Cert Petition

Information Security Monthly Activity Report*3/31/2015 VA-NSOC Incident Number: VANSOC0618799 Date US-CERT Notified: 3/27/2015 US-CERT Case Number: INC000000454308 DBCT Category: Unencrypted

11-262 US Reichle v Howards (cert amicus) (1)

Commercial Facilities Sector - US-CERT · Commercial Facilities Sector organizations are encouraged to visit the US -CERT Critical ... primary criteria for assistance would be criticality,

Scrib Us Tutorial

JULY/AUGUST 2011 What is ICS-CERT?gency Readiness Team (US-CERT), National Coordinating Center (NCC) for Telecom-munications, ICS-CERT, and the DHS Intelligence and Analysis group,

Tutorial C4D US

DHS / US-CERT Overview

CERT Program Administration Tutorial · 7/26/2013  · CERT Teams that are within a CERT Program. A CERT program conducts the training, organizes and recognizes the “teams,” and

 · cert cert cert cert cert cert cert cert cert cert cert last berge-son ... blasius bode brown brownell carson chilson dunn duvall fallis eiseman felicia heinrich hope juhnke kenny

Hogan v Kaltag, US as Amicus Curiae on Cert to US Supreme Ct,

Tuaua v US, Cert Petition & Appendix

Computer Security Incident Handling Guidehossein/Teaching/Sp12/... · States Computer Emergency Readiness Team (US-CERT), Mike Witt of US-CERT, and Murugiah Souppaya of NIST. The

Year 12 Careers Tutorial Programme - St Aidan's · 3 subjects UCAS Tariff Points BTEC Dipl. Double Award BTEC Ext. Cert. AQA/ WJEC Ext. Cert. AQA/ WJEC Cert. Cambridge Technical Ext.Cert

Information Security Monthly Activity Report* · 1/22/2015. US-CERT Case Number: INC000000435111. US-CERT Category: Category 6 - Investigation. No. of Credit Monitoring: No. of Loss

US-CERT National Cyber Security Division/ U.S. Computer Emergency Readiness Team (US-CERT) Overview Lawrence Hale Deputy Director, US-CERT

US-CERT Year in Review US-CERT Year In Review CY2012.pdfUS-CERT Year In Review - CY 2012 7 Other key initiatives include: US-CERT’s International ... capability that alerts when

Petition for Cert. To US Supreme Court, v. GA Power

Build Security In | US-CERT

CERT Registration Tutorial€¦ · Registration Requirements ... CERT Registration Tutorial 5 Begin Registration • Enter CERT program’s name, country, state, and local jurisdiction

Scad a Tutorial Us

CERT I PORT - Pearson VUE€¦ · CERT I PORT ® A PEARSON VUE BUSINESS Microsoft Technology Associate (MTA) Exam Tutorial Note: The 98-383 exam details illustrated in this tutorial

Contracts Tutorial 9-10 US LAW

Protecting Aggregated Data - US-CERT | United States Computer