ics vulnerability disclosure
play

ICS Vulnerability Disclosure To Disclose or Not to Disclose - PowerPoint PPT Presentation

Jan 08, 2023 •153 likes •403 views

ICS Vulnerability Disclosure To Disclose or Not to Disclose ICS-CERT Control Systems Security Program U.S. Department of Homeland Security ICS Security Entered the Public Stage Pace for ICS Vulnerability Disclosure is Quickening Reported ICS

  1. ICS Vulnerability Disclosure To Disclose or Not to Disclose ICS-CERT Control Systems Security Program U.S. Department of Homeland Security

  2. ICS Security Entered the Public Stage

  3. Pace for ICS Vulnerability Disclosure is Quickening

  4. Reported ICS Vulnerabilities 160 2011 Anticipated 140 120 2011 YTD 100 80 2010 60 40 2009 20 0 Vulnerabilities

  5. Who is Disclosing Vulnerabilities?  ICS vendors  Reporters from undisclosed sources  Security researchers  Most new vulnerability reports have been from researchers without a control systems background

  6. More Security Researchers are Getting in the Game  Researchers with an interest in ICS are increasing their work on control system vulnerabilities  Researchers with no background in control systems have started looking at control system products and finding vulnerabilities  Researchers who wear hats with a range of colors have all started paying attention to ICS vulnerabilities

  7. Who are the Researchers? Researchers come from various backgrounds and from a wide range of countries.

  8. Why Do Security Researchers Report Vulnerabilities?  Improve the security of industrial control systems  Desire for vendors to write better code  Passion for hunting for and finding vulnerabilities  Report vulnerabilities found during security assessments  Reputation building for name recognition or promotion of consulting services  Financial reward

  9. Zero-Day Market  Buyers  Brokers between  Nation-States Researchers and buyers  Underground Market  Commercial Buyers  Products that contain  Zero-Day Initiative zero-day exploits (TippingPoint)  Argeniss  iDefense  Immunity  Vendors − bug bounty  GLEG programs

  10. GLEG Agora SCADA+ Exploit Pack  Immunity’s CANVAS is a penetration framework similar to the popular Metasploit tool  GLEG is a small company based in Moscow, Russia, that produces add-on exploit packages for CANVAS  March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack  March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011  ICS-CERT has issued two Alerts warning of the availability of this exploit pack and a subsequent update

  11. Agora SCADA+ Pack GLEG Website:  “This is an attempt to collect ALL publicly available SCADA vulnerabilities in one exploit pack.”  “SCADA and related vulnerabilities are very special due to its sensitive nature and possible huge impact involved to successful exploitation.”  “SCADA Systems are also ‘hard to patch,’ so even old vulnerabilities are actual.”

  12. The Agora SCADA+ Pack features GLEG Website: Growing value  “Due to low real systems patch rank 100% public SCADA vulns coverage”  “Including old and newly discovered bugs 0 Days for SCADA”  “We conduct our own in depth research focused on Industrial software & hardware environment”  “Not only SCADA, but also Industrial PCs, smart chips, and industrial protocols are reviewed. Weak points analyses”  “Many industrial things suffer from weaknesses like hardcoded password and etc.”

  13. Agora SCADA+ Pack  GLEG and Immunity have both told ICS-CERT that they have no plans to release any vulnerability details regarding the Agora SCADA+ exploit pack  At least two ICS vendors have purchased software from GLEG  GLEG has agreed to notify ICS-CERT of any future product updates  Cost of licenses (Total 1 year: $8,930 )  Immunity CANVAS 1-year license: $3,530  GLEG Agora SCADA+ Exploit Pack 1 year: $5,400

  14. Why are Researchers Targeting Specific ICS Products?  Accessibility of ICS Software  Products are often identified by researchers doing a Google search for SCADA software and finding evaluation versions  Product Reexamination (copycat)  Researchers often see public disclosures of vulnerabilities in product X, and follow up by downloading product X and finding additional vulnerabilities

  15. Product Reexamination Example Ecava IntegraXor Ecava is a small Malaysia-based company. IntegraXor is a web-based HMI used in factory and process automation  October 4, 2010, Jeremy Brown coordinated a buffer overflow  December 12, 2010, Luigi Auriemma posted to exploit-db.com details about a directory traversal vulnerability  December 21, 2010, Dan Rosenberg with Virtual Security Research coordinated an unauthenticated SQL vulnerability  December 22, 2010, Mister Teatime posted a DLL hijacking vulnerability to OSVDB.org  April 12, 2011, Knud with nSense coordinated multiple XSS vulnerabilities

  16. Luigi Auriemma’s Disclosures  October 15, 2010, RealWin Buffer Overflow Unanticipated  December 8, 2010, Wonderware InBatch Buffer Overflow Unanticipated  December 21, 2010, Ecava Integraxor Directory Traversal Unanticipated  December 22, 2010, Sielco Sistemi Winlog Stack Overflow Coordinated  March 21, 2011, Siemens Tecnomatix FactoryLink Unanticipated  March 21, 2011, Iconics Genesis Unanticipated  March 21, 2011, 7-Technologies IGSS Unanticipated  March 21, 2011, RealFlex RealWin Unanticipated

  17. Luigi’s Media Attention

  18. Dale’s Interview with Luigi “Anyway I have some other SCADA vulnerabilities in my pocket and 3 of them are about a very big vendor, but at the moment I have still not planned the releasing of these additional security bugs or if they will be under full or responsible disclosure.”  ICS-CERT reached out to Luigi to inquire about his claims  Luigi disclosed the vendor name, but no other details  ICS-CERT notified the vendor who contacted Luigi Auriemma  Luigi asked the vendor for compensation for his research work  The vendor declined  No further communication has occurred between Luigi and the vendor

  19. ICS-CERT Vulnerability Coordination  Coordinated Vulnerability Disclosure (Responsible Disclosure)  Unanticipated Vulnerability Disclosure (Full Disclosure)

  20. Coordinated Vulnerability Disclosure  Reporter contacts the vendor, ICS-CERT, or other coordination organization prior to public disclosure of vulnerability details  ICS-CERT provides attribution to reporter in all ICS-CERT products

  21. ICS-CERT Coordinated Vulnerability Researcher Vendor notifies Customer patch notifies customers of window ICS-CERT patch ICS-CERT will ICS-CERT ICS-CERT or publish Advisory passes report to researcher to US-CERT vendor validates patch website Vendor asked to Vendor develops ICS-CERT validate report mitigation closes ticket

  22. Unanticipated Vulnerability Disclosure  Reporter publicly discloses vulnerability details without contacting the vendor, ICS-CERT, or other coordination organizations  ICS-CERT does not provide attribution to reporter in published products

  23. ICS-CERT Unanticipated Vulnerability ICS-CERT will Vulnerability ICS-CERT or publish Advisory publicly researcher to US-CERT disclosed validates patch website ICS-CERT Vendor develops ICS-CERT notifies vendor mitigation closes ticket Vendor asked to ICS-CERT validate publishes Alert disclosure

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vulnerability disclosure Dont forget overall goal: improve software safety Consider

Vulnerability disclosure Dont forget overall goal: improve software safety Consider

Vulnerability disclosure Dont forget overall goal: improve software safety Consider incentives for researchers, software vendors, customers Supply chain can be complex Software component developers Open source Resellers

621 views • 20 slides
Financial Vulnerability in Nonprofit Organizations Topics z Financial statements z Disclosure

Financial Vulnerability in Nonprofit Organizations Topics z Financial statements z Disclosure

Financial Vulnerability & Fraud in Nonprofit Organizations Prepared for the 2010 MOWAA Annual Conference by Janet Greenlee Department of Accounting. University of Dayton Janet.greenlee@ notes.udayton.edu Financial Vulnerability in

534 views • 29 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators (excluding Male') Highest elevation 1.5m Population: 298,968 above sea level less than 1000 97% of all inhabited 59 % Total number of

357 views • 4 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life Cycle CSU Cybersecurity Center Computer Science Dept 1 1 Topics Vulnerability Life Cycle Vulnerability Discovery models 2 Vulnerability

805 views • 46 slides
Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to

Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to

Vulnerability of LDCs to Climate Change Lessons from a New Indicator of Physical Vulnerability to Climate Change Patrick GUILLAUMONT and Catherine SIMONET FERDI and CERDI, CNRS- Universit dAuvergne September, 2012 Introduction A growing

247 views • 23 slides
VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER

VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER

VULNERABILITY THEOLOGICAL FOUNDATIONS R OY H OWARD & S HELBY E THERIDGE H ARASTY S EPTEMBER 11, 2019 I want to start a global conversation about vulnerability, shame and courage. Bren Brown VULNERABILITY Comes from the Latin word

156 views • 13 slides
Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem

Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem

FCA unrestricted Consumer Vulnerability Martin Coppack 1 FCA unrestricted Consumer vulnerability: the problem raised Industry Consumer organisations Lots being done Numerous good practice guides & systems may be in place

524 views • 13 slides
Mike Riccardi | Shepherds Conference | March 10, 2016 I. The Principles of Sanctification II.

Mike Riccardi | Shepherds Conference | March 10, 2016 I. The Principles of Sanctification II.

Mike Riccardi | Shepherds Conference | March 10, 2016 I. The Principles of Sanctification II. The Means of Sanctification III. The Dynamics of Sanctification Two foundational texts on sanctification: Philippians 2:12 13 So then,

1.19k views • 59 slides
tt t r

tt t r

tt t r Pt r r rtt sttt

691 views • 24 slides
New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen,

New Ways Im Going to Hack Your Web App Rich Lundeen, Jesse Ou, Travis Rhodes MicrosoE Boss Engineering Security Team & Office 365 Pen Test

1.28k views • 103 slides
Moral Considerability Morally considerable Obligations regarding or with respect to

Moral Considerability Morally considerable Obligations regarding or with respect to

Moral considerability and Noonan Abortion and Moral Considerability Noonans Argument Moral Considerability Morally considerable Obligations regarding or with respect to Moral standing Obligation regarding

155 views • 3 slides
Zip Py: A Simple Python 3 for the JVM Wei Zhang UC Irvine ! 1 Python? Dynamic languages are

Zip Py: A Simple Python 3 for the JVM Wei Zhang UC Irvine ! 1 Python? Dynamic languages are

Zip Py: A Simple Python 3 for the JVM Wei Zhang UC Irvine ! 1 Python? Dynamic languages are here to stay People use it too : NumPy, Django Concise syntax, good readability Py3k is the future ! 2 JVM, the Platform 100+

955 views • 24 slides
Art in the Ancient World LECTURE 4 | Art of Ancient Greece A U G G U S T I I N N E E C O L

Art in the Ancient World LECTURE 4 | Art of Ancient Greece A U G G U S T I I N N E E C O L

Art in the Ancient World LECTURE 4 | Art of Ancient Greece A U G G U S T I I N N E E C O L L E G G E kosmos kaos Geometric style vases 700 BC Hephaistos assisting in the

903 views • 66 slides
May 20, 2011 Investor & Analyst Day Agenda 10:00 AM Introduction and overview of BGC -

May 20, 2011 Investor & Analyst Day Agenda 10:00 AM Introduction and overview of BGC -

May 20, 2011 Investor & Analyst Day Agenda 10:00 AM Introduction and overview of BGC - Chairman/CEO Howard W. Lutnick 10:15 AM BGCs track record to date - President Shaun D. Lynn 10:30 AM Financial Highlights - Graham

1.44k views • 126 slides
Th The C Clie ient nts s You ar are Se Seeki king ng are Al ar Also o Se Seeki king

Th The C Clie ient nts s You ar are Se Seeki king ng are Al ar Also o Se Seeki king

Th The C Clie ient nts s You ar are Se Seeki king ng are Al ar Also o Se Seeki king ng You 4 4 Dev evelop Your Si Signature Message 1 Course Overview 1) Radiate Your True Self 2) Envision Your Ideal Life & Business

424 views • 14 slides

More recommend