Yet again, it seems that the Keystone Kops are running the show in Washington.
A little bit of wandering about the tubes leads to the Water-ISAC site exposing FOUO government files…
Hrm… wonder what’s in that PDF. Looks juicy…
Hrm. There’s some interesting reading…
What’s a Boreas?
For Official Use Only
Boreas Vulnerability Checklist
A vulnerability has been identified and verified within the firmware upgrade process used in industrial control systems. Successfully exploiting this vulnerability could cause components within the control system to malfunction or shut down, potentially damaging the equipment and/or process. To identify whether a component is susceptible to this vulnerability, please review and answer the following questions.
Questions:
* Do control system components (controllers, processors, etc.) contain reprogrammable firmware?
* Is the process of reprogramming firmware potentially accomplished remotely across a network?
* Does the process of reprogramming firmware lack an authentication mechanism or is it accomplished with publicly available authentication credentials?
* Are firmware image files stored in an unencrypted format anywhere on the system?
If you answered “yes†to more than one of these questions, you are potentially susceptible to this identified vulnerability. Development and implementation of a mitigation plan is needed to protect the installed customer base and the process used in industrial control systems of the nation.
Boreas Vulnerability Mitigation Steps
* Short Term
o Disable the capability to perform remote firmware upgrade.
o Block network firmware upgrades with appropriate firewall rules.
o Use local (direct physical device access) methods to upgrade firmware.
* Long Term
o Physically secure and encrypt firmware upgrade files during development, storage, transmission and use.
o Utilize authentication techniques in next generation control system networks.
o Secure the control system network using defense-in-depth techniques.Questions should be directed to cssp@dhs.gov, the Department of Homeland Security’s National Cyber Security Division.
Warning: This document is UNCLASSIFIED/FOR OFFICIAL USE ONLY (U/FOUO). It contains information that may be exempt from public release under the Freedom of Information Act (5 U.S.C. 552). It is to be controlled, stored, handled, transmitted, distributed, and disposed of in accordance with DHS policy relating to FOUO information and is not to be released to the public, the media, or other personnel who do not have a valid “need-to-know†without prior approval of an authorized DHS official.
For Official Use Only
The greek god of the north wind sure sounds like an awfully generalized discussion of bad firmware update practices.
This isn’t so much a technical vulnerability as it is:
- Truly excremental design on the part of the device manufacturer
- Facile and immature thinking on the part of the integrator/operator
- A security advisory which would be more usefully titled “Basic IT Operations for DUMMIES”
- About the most useless problem space description and mitigating actions discussion available on the topic
- Yet another example of the fact that no actual hackers or criminals are interested in disrupting these systems as it is childs-play to DOS the entire system
And yet another case which proves the point that I made at DEFCON. When you fuzz or “break” a SCADA system, generally it just stops. And in stopping, it’s up to the safety systems to keep things safe. Losing control of the cookie plant does not cause the cookie plant to start manufacturing cookies that kill you. It just makes a big mess.
[tags]WaterISAC, FOUO, DHS, security advisory, boreas[/tags]