{% set baseFontFamily = "Open Sans" %} /* Add the font family you wish to use. You may need to import it above. */

{% set headerFontFamily = "Open Sans" %} /* This affects only headers on the site. Add the font family you wish to use. You may need to import it above. */

{% set textColor = "#565656" %} /* This sets the universal color of dark text on the site */

{% set pageCenter = "1400px" %} /* This sets the width of the website */

{% set headerType = "fixed" %} /* To make this a fixed header, change the value to "fixed" - otherwise, set it to "static" */

{% set lightGreyColor = "#f7f7f7" %} /* This affects all grey background sections */

{% set baseFontWeight = "normal" %} /* More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set headerFontWeight = "normal" %} /* For Headers; More than likely, you will use one of these values (higher = bolder): 300, 400, 700, 900 */

{% set buttonRadius = '40px' %} /* "0" for square edges, "10px" for rounded edges, "40px" for pill shape; This will change all buttons */

After you have updated your stylesheet, make sure you turn this module off

Industrial Control System (ICS) Hacks Demonstrated

by Ed Adams on November 27, 2012

SCADA systems continue to be shown vulnerable, but don't worry, it's only our nation's critical infrastructure.

The 12th annual ICS Cyber Security Conference was held at Old Dominion University a few weeks ago (October 22-25, 2012.)  What was reinforced is how far behind our industry is with respect to cyber security.  I was expecting to read about all the deep, technical, revolutionary security topics that were discussed and sophisticated attacks that we haven’t seen before.  Instead, there were elementary talks like "Introduction to Encryption, Authentication and Key Management “ and demonstrations of attack that while disturbing, are nothing new:

  • An attacker with knowledge of the system demonstrated how with less than $60 in off-the-shelf equipment, a Zigbee wireless network can be compromised with complete loss of control for the operator. 
  • A malware researcher with minimal understanding of ICSs was able to take control of SCADA software. Very simply, this researcher started with a vulnerability notification about the technology on which the SCADA system was built. With this information, he was able to implant malware to infect the system and take control of the vendor's SCADA software.

There was recently a write-up of a Shodan search that found nearly half a million ICS devices that should not have been Internet-facing (note: Shodan a special kind of search engine that looks for computers based on software, geography, operating system, IP address and other specified options. For example, it can find servers running Apache 2.2.3 on Windows 2000 Server.)  ICS devices that are remotely accessible are easily compromised if they aren't adequately protected -- and most are not. Many have un-patched software running on them with known security vulnerabilities. Even worse, many ICS vendors prohibit their customers from making any changes to ICS devices -- either because it will cause the device to malfunction and/or will put the end user out of warranty. As a result, most ICS consumers opt to make no change at all so as to not jeopardize their manufacturer's warranty and guidance, DESPITE the security risk. 

The information I share above highlights a key commonality:  the ICS manufacturers and their customers are putting us all at risk. Sometimes willingly; sometimes out of fear of being "out of warranty"; sometimes out of shear ignorance to the threats. The only things that will change this horrendous situation are if Congress finally passes a CyberSecurity Bill (which I discussed in my previous blog post) that has measurable accountability controls and/or we suffer an attack that takes out our power grid or another piece of critical infrastructure. I'm sure the Saudi's weren't expecting the attack that destroyed 30,000 PCs at Saudi Aramco (largest state-owned oil producer) ... and that was just a warning. If they could get to all these PCs and cripple them, imagine what the attackers could have done if they wanted to launch a real attack.

Topics: developer guidance, application security

Most Recent

What's Trending

Featured Resource