Tag: SCADA

Siemens SCALANCE 200

Siemens Patches Holes In Industrial Control Switch

A security researcher discovered two, serious security holes in a switch by Siemens that could allow an attacker to hijack industrial control system hardware that is heavily used by energy and transportation firms, among others. IOActive, a security consulting firm in Seattle, Washington, said on Thursday that Eireann Leverett, a senior security consultant, discovered two vulnerabilities in Siemens’ SCALANCE X-200 Switches. The vulnerabilities were in a web server component that provided administrators with access to features needed to configure the switches. If exploited, they would have allowed an attacker who had access to the same network as the SCALANCE switch to perform administrative actions on the devices, including updating the switch firmware and hijack active web sessions – all without needing to first log in to the device. SCALANCE is a family of Ethernet switches that connect to industrial control system (ICS) devices including programmable logic controllers (PLCs) and Human […]

Amphion Forum: Spotlight on Security and Internet of Things

A little more than a month from now, the world’s attention will shift to San Francisco for the annual RSA Security Conference – perhaps the biggest single IT security industry event of the year. But this week, at a much smaller venue, the focus will be about what’s amounting to the ‘next big thing’ in the security world: the Internet of Things.   The Amphion Forum focuses on a growing part of the computer security landscape that still struggles for attention in a security market still focused on the needs of large companies. Namely: the security challenges posed by mobile devices – phones and tablets and a menagerie of newly-connected endpoints, from wearable computers to implantable medical devices to household appliances. The privacy and security challenges facing organizations that wish to embrace the IoT are legion. Intelligent devices have been shown to lack basic protections against unauthorized access, such as strong […]

Ralph Langner

U.S. Cyber Security Framework Is Good News-For Hackers

Ralph Langner, the renowned expert on the security of industrial control- and SCADA systems, warns that the latest draft of the U.S. Government’s Cyber Security Framework (CSF) will do little to make critical infrastructure more resistant to devastating cyber attacks. Writing on his blog, Langner said that a draft of the National Institute of Standards and Technology’s (NIST’s) Preliminary Cybersecurity Framework does little to compel critical infrastructure owners to improve the security of their systems, or guarantee uniform (and robust) cyber security standards in the critical infrastructure space. NIST released the latest draft of the CSF late last month (PDF). But Langner, writing on Wednesday,  likened the framework to a recipe that, if used by three different chefs, produces three totally different dishes…or just a messy kitchen. “A less metaphorical words, a fundamental problem of the CSF is that it is not a method that, if applied properly, would lead to predictable results,” […]

NIST Draft Framework

NIST Cyber Security Draft Framework Puts Execs In Driver’s Seat

The U.S. government’s federal technology agency has published a draft version of a voluntary framework it hopes will guide the private sector in reducing the risk of cyber attacks on critical infrastructure. The National Institute of Standards and Technology (NIST) published a draft of its Preliminary Framework to Reduce Cyber Risks to Critical Infrastructure on Monday. The document provides a guide for critical infrastructure owners of different maturity levels to begin documenting and understanding their risk of cyber attack, and – eventually – to measure their performance in areas such as asset management, threat detection and incident response. The framework was called for by Executive Order 13636, signed by President Obama in February. In that order, NIST was charged with creating a framework for sharing cyber security threat information and information on successful approaches to reduce risks to critical infrastructure. The Framework is comprised of five major cybersecurity functions: Know […]

FDA: Medical Device Makers, Hospitals Need To Boost Cyber Security

The U.S. Food and Drug Administration (FDA) has issued guidance to medical device makers and hospitals that use their products to pay more attention to cyber security and the potential for cyber attacks on vulnerable medical instruments.   The FDA released its “Safety Communication for Cybersecurity for Medical Devices and Hospital Networks” on Thursday – the same day that the Department of Homeland Security’s ICS (Industrial Control System) CERT issued a warning about the discovery of hard coded “back door” passwords in some 300 medical devices from 40 separate vendors, including drug infusion pumps, ventilators and patient monitoring systems. The FDA said it expects device makers to “review their cybersecurity practices and policies to assure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices or compromise of the security of the hospital network that may be connected to the device. Hospitals were instructed to harden […]