ICS-CERT (Industrial Control Systems Cyber Emergency Response Team), under the Department of Homeland Security of the US government, has issued an alert of a possible SCADA vulnerability affecting solar power plants.
The affected product is the Sinapsi eSolar Light Photovoltaic System Monitor which is used to communicate with photovoltaic inverters, gauges, energy meters, network analysers etc. The exploit allows a hacker to “remotely connect to the server and executing remote code, possibly affecting the availability and integrity of the device,” according to the report issued at the CERT website.
The vulnerabilities are exploited by authenticating to the service using hard coded credentials as per two security researchers, Roberto Paleari and Ivan Speziale, who identified the vulnerable system as the Schneider Electric Ezylog photovoltaic SCADA management server. It is stated to suffer from multiple vulnerabilities including SQL injection vulnerabilities and hard coded authorizations.
ICS-CERT has a working proof of concept code and has contacted the vendor of the software to confirm the vulnerability and identify mitigations. This is days after Defense Secretary Leon Panetta had warned about possible ‘cyber Pearl Harbour’ in a speech at the Interpid Air and Space Museum. SCADA systems are the underlying control systems of important national infrastructures such as power plants and even small cyber-attacks on them could have big repercussions on the nation as a whole.
The second World Cyber Security Technology Research Summit met in Belfast recently and outlined a new research roadmap to tackle the problem of cyber crime on an international scale.
The summit was sponsored by the Centre for Secure Information Technologies at Queen’s University, Belfast. It was attended by some heavy hitters in the security industry. According to the Queen’s University press release, it “included Chief Scientific Advisor from the UK Home Office – Professor Bernard Silverman, Cyber Security Division Director of US Homeland Security – Dr Douglas Maughan, Chairman and CEO of Kaspersky Labs – Eugene Kaspersky, Director of Innovation, Connected Energy Networks Cisco – Barbara Fraser, and Raj Samani, CTO, EMEA, McAfee.”
The final product of the conference resulted in four collaborative roadmap documents that focused on four distinct areas:
Adaptive Cyber Security Technologies – Systems need to have the ability to learn from cyber security events and learn on the fly. It was agreed that adaptive techniques could be risky for instance, if the system learns the wrong thing, but the consensus was that adaptive technologies were necessary and must be developed.
Protection of Smart Utility Grids – This addressed both physical and cyber security. One of the big focuses was on the standardization of smart meters and grid management systems.
Security of Mobile Platforms and Applications – The big challenge of this area is that mobility is too broad and it was agreed that no single source could develop security. Protecting the consumer was a big topic of conversation
Multifaceted Approach to Cyber Security Research – Some topics discussed here were sort of like a wish list. For instance, getting people to be as personally responsible for their own cyber security as they are physical security.
To be honest, as an IT Manager, the information flowing out of this summit is both fascinating and overwhelming. Some fantastic resources and presentations can be found on the “Belfast 2012” website at http://www.csit.qub.ac.uk/News/Events/Belfast2012/. Anyone interested in cyber security and getting a glance at what the big players in the biz are thinking should view this material.
CSIT Principal Investigator, Professor John McCanny, said, “Ultimately our objective is to help make the Internet of tomorrow a safe and secure platform which is vital for global economic growth and societal development.” I say that is a tall order, but due to the many rogues lurking in every corner of our world, it’s an objective that has to be met. When it’s all said and done, I wouldn’t put my money on freedom as being their top priority.
They will never stop, will they? A group of Republican senators in the USA introduced a revised version of a cybersecurity bill, called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information and Technology Act (SECURE IT). This aims to be the less regulated alternative of yet another draconian bill called the Cybersecurity Act that the Democrats in the US Senate had proposed.
SECURE IT is basically the shelved CISPA act disguised under a new name. It would give the Government and private companies more freedom in sharing information about cyber threats and cyber criminals. While the original CISPA had laid down harsh punishments and accusations against any potential cybercriminal, the ‘verdict’, so to speak, of SECURE IT is as yet unclear.
The Republican representative from Texas, Kay Bailey Hutchison, who is a proponent of the bill had this to say:
Our bill focuses on giving companies and the government the tools and knowledge they need to protect themselves from cyber threats, and creates new important requirements for government contractors to notify their agencies of significant cyber-attacks to their systems.
The bill allows the Government or a private party to collect as much information as possible on a potential threat, violating his/her civil liberty of privacy, as long as they deem that said person is a threat to the normal functioning of the organization.
How annoying is this, you ask? Very. Very annoying.