Yesterday Dragos and a few other security vendors issued a report outlining a new piece of malware called CRASHOVERRIDE.
Essentially this malware after being loaded / loading onto an HMI will install additional backdoors and tools then execute a launcher and using the OPC protocol map the network on which it is located. It can then issue command utilizing modules for various industrial protocols, and then finally issue a command to wipe the HMI. Command issued via the protocols can results in rapid triggering of relays and a DoS attack by blocking communication via the HMI's serial port.
This can result in islanding of portions of the grid and general instability.
This sounds pretty bad but I have had a number of talks over time with craftsman and substation operations people about stuff like this. Their response has been consistent. If something like this attack were to take place they can take the network off line and use manual control.
In addition from what I have read this attack can be detected by noting unusual traffic on port 3128 and attempts to communicate with 4 or 5 TOR sites. It also appears that application whitelisting (one of the controls that appears on the CIS Top 20, ASD top 35 and IAD Top 10) would be helpful in preventing this attack.
All in all, worrying but not catastrophic.
(US CERT issued an alert that basically agrees with me)
DefCon - ICS Village: Grid Insecurity and How to Really Fix This Shit - I tried to see this talk while at DefCon, but the room they ...
Next week will be 25% of the planned 52 week run. I'll let you guys decide, stop or keep going?
So again today I am seeing all sorts of tweets about how great Mad Max - Fury Road is. Most revolving around the fact that Furiousa was a k...
4 T-Shirts, Gloves, Skull Coffee Cup, and a Knife.