Following reports about a backdoor login account in its entire line of devices, RuggedCom, a Canadian manufacturer of equipment and software for critical industrial control systems has announced it will eliminate this vulnerability.
Security experts have raised concerns about this issue, noting that this security problem had been discovered a year ago. The backdoor, which reportedly cannot be disabled, leaves power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable and could affect millions of indirect users. K. Reid Wightman, an industrial control systems security expert for Digital Bond, told tech blog Ars Technica, "If users are running non-redundant networks, this is probably going to require taking their process offline…so it's not the sort of thing that most users can patch right away—they're going to have to patch it during their normal manufacturing patching cycle, which might be a year."

The Industrial Control Systems Joint Working Group (ICSJWG) has created a consolidated document; a sector independent roadmap. This Cross-Sector Roadmap was conceived and developed over the last two years by industry and government thought leaders that saw the need for a unifying Roadmap to secure control systems across all critical sectors. Version 3 of the consolidated roadmaps is available for download. The document aids entities in creating a cybersecurity plan that incorporates the unique environment of control systems. The document is an excellent addition to a utility’s cybersecurity reference library and is available here.
  Read more »

Gregory Schaeffer, Acting Deputy Under Secretary, National Protection and Program Directorate, DHS, was one of the keynote speakers at the Industrial Control System Joint Working Group (ICSJWG) meeting held October 24th through the 26th in Long Beach, CA. He noted that ICSJWG offers an opportunity for the control system industry to catch up with security. Control system technology has “outrun its headlights” with respect to cybersecurity. He remarked that cybersecurity today touches everything and we need to treat it holistically. Further, the environment has changed since the 1990’s when the issue first arose. He said, "We are now worried about cybercrime. This problem evolved so rapidly and thoroughly, this area of crime is now far more lucrative than even the narcotics trade. In the last several years, hacking to get information and money has evolved into hacking for intellectual property. Vast amounts of information, both in the private and public sector, is being syphoned into the wrong hands. Identity theft is still a problem."
  Read more »

UTC will again be attending a face-to-face meeting of the Industrial Control System Joint Working Group (ICSJWG) in early October in Long Beach. The group falls under the Department of Homeland Security and is working on sector specific security issues, while merging security roadmaps into a single control system security document.

The draft meeting agenda can be found at the following web site; board members with specific interests, questions or concerns on these topics should contact Klaus Bender prior to October 1 and we will raise those issues at the meeting: http://www.us-cert.gov/control_systems/icsjwg/ICSJWG-2011-Fall-Conference_Agenda_7Sept2011_DRAFT.pdf

A security researcher has discovered links between infected Windows systems and industrial control systems by analyzing the HijackThis logs posted on online cybersecurity forums. The logs reveal detailed configuration information about the systems in question, the organization it belonged to (identified as Alstom UK - the British arm of the European energy firm), and even the role of the individual who owned the system. He has shared his findings on the blog of a security consulting firm named Digital Bond, as well as via twitter. The researcher, Michael Toecker, argues this as "another reason to not let third party systems connect into the control system,...the issue with vendors bringing their own computers in, and reasons for requiring that vendors use designated systems for controls work".

A new document intended to help pipeline operators, power producers, manufacturers and other managers of critical infrastructures to secure their systems while addressing their unique performance, reliability and safety requirements has been issued by National Institute of Standards and Technology (NIST). The document provides an overview of industrial control system (ICS) and typical system topologies, identifies typical threats and vulnerabilities to these systems and provides recommended security countermeasures to mitigate the associated risks. Because there are many different types of ICS with varying levels of potential risk and impact, the document provides a list of many different methods and techniques for securing ICS.

This new guide is recommended to be used along with the NIST Guidelines for Smart Grid Cyber Security (NISTIR 7628), which was issued last September, to tackle security issues arising from the convergence of the electric power Smart Grid and ICS.