Is the SCADA Infrastructure Secure?

Is the SCADA Infrastructure Secure?

Is the SCADA Infrastructure Secure?

Posted:

InfoSec News: Is the SCADA Infrastructure Secure?: http://www.embedded.com/columns/breakpoint/224202612
By Jack Ganssle Embedded.com 04/12/10
Governors and others frequently bemoan the lack of investment being made in crumbling infrastructure. Bridges, tunnels and the rest of the brick and mortar that enables our lives are in disrepair, and we're told things are getting worse. Shrinking budgets insure that repairs will continue to fall behind. Pundits also say the electric grid is old and not capable of meeting 21st century needs.
I recently met with a control engineer who works for a large metropolitan water company. He's concerned about another kind of infrastructure " the digital one that monitors and controls factories and other large plants (including water plants, of course). These ubiquitous SCADA systems (supervisory control and data acquisition) often handle extremely high power actuators, like multi-thousand horsepower motors.
Industrial automation equipment often runs for decades or longer. Years ago, when working on a system in a steel mill, I came across a huge motor stamped with a manufacturing date of 1899. It was still in service. The electronics, too, often runs for decades.
That's a testament to great engineering and manufacturing, and is also potentially a great hazard. These systems were largely designed before security became an important issue. Many have been almost haphazardly connected to the Internet in the intervening years, when management sees the 'net as an easy way to monitor remotely and save money.
I have been told (by the NSA) that a Tylenol factory has been hacked. In 2003 a worm shut down all safety monitoring on an Ohio nuke plant for five hours. Vancouver's traffic lights have been compromised. A 14-year-old turned the Polish city of Lodz's trams into his own giant train set, derailing four cars and injuring at least a dozen people. There are many more instances.
[...]

Hackers Hit Apache.org, Compromise Passwords

Posted:

InfoSec News: Hackers Hit Apache.org, Compromise Passwords: http://www.eweek.com/c/a/Security/Hackers-Hit-Apacheorg-Compromise-Passwords-896918/
By Brian Prince eWeek.com 2010-04-13
The Apache Software Foundation reports that it was hit earlier in April by a sophisticated attack that compromised user passwords. [...]

Microsoft Fixes Two Zero-Day Flaws

Posted:

InfoSec News: Microsoft Fixes Two Zero-Day Flaws: http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=224400118
By Thomas Claburn InformationWeek April 13, 2010
Microsoft on Tuesday issued its April security patch, which includes 11 bulletins addressing 25 vulnerabilities. [...]

Cyberwar Doomsayer Lands $34 Million in Government Cyberwar Contracts

Posted:

InfoSec News: Cyberwar Doomsayer Lands $34 Million in Government Cyberwar Contracts: http://www.wired.com/threatlevel/2010/04/booz-allen/
By Ryan Singel Threat Level Wired.com April 13, 2010
Last month, the former Director of National Intelligence Michael McConnell boldly took to the Senate floor and the Washington Post's editorial page to declare "The United States is fighting a cyber-war today, and we are losing."
Thankfully for the American people, his company -- the giant defense contractor Booz Allen Hamilton -- has now landed the contract to build the Air Force's cyberwar control center. For a measly $14.4 million in taxpayer money, the outfit will help build a new cyberwar bunker for the U.S. Cyber Command, a wing of the Air Force.
Additionally, Booz Allen Hamilton won another contract for $20 million to "foster collaboration among telecommunications researchers, University of Maryland faculty members and other academic institutions to improve secure networking and telecommunications and boost information assurance," Washington Technology reports. While that might sound like a lot of money to set up a mailing list and a wiki, please don’t be cynical. Undoubtedly, McConnell’s crack team of consultants are providing the researchers with around-the-clock bodyguards and state-of-the-art bullet-proof monitors.
Meanwhile, we urge U.S. netizens to refrain from un-patriotic musings that McConnell intentionally uses fear and exaggerated rhetoric to land these kinds of contracts for his company and instead, be vigilant and keep their eyes out for signs of Chinese hackers (one telltale sign is a "Made in China" label on the bottom of your laptop).
[...]

Will DNSSEC kill your internet?

Posted:

InfoSec News: Will DNSSEC kill your internet?: http://www.theregister.co.uk/2010/04/13/dnssec/
By Kevin Murphy The Register 13th April 2010
Internet users face the risk of losing their internet connections on 5 May when the domain name system switches over to a new, more secure protocol.
While the vast majority of users are expected to endure the transition to DNSSEC smoothly, users behind badly designed or poorly configured firewalls, or those subscribing to dodgy ISPs could find themselves effectively disconnected.
DNSSEC adds digital signatures to normal DNS queries, substantially reducing the risk of falling victim to man-in-the-middle attacks such as the Kaminsky exploit, which caused widespread panic in July 2008.
The standard is currently being rolled out cautiously to the internet's DNS root servers. In May, when all 13 roots are signed, anybody with an incompatible firewall or ISP will know about it, because they won't be able to find websites or send email.
[...]

Atlassian plugs security hole

Posted:

InfoSec News: Atlassian plugs security hole: http://www.itwire.com/it-industry-news/strategy/38248-atlassian-plugs-security-hole
By Renai LeMay iTWire 13 April 2010
Australian collaborative software developer Atlassian today warned customers today that it had in the past several days plugged a security [...]

Career Bobs

Posted by Rohan ingale at 1:14 AM

0 comments:

Post a Comment