Sunday, September 21, 2014

ICS SCADA Mobile: BYOD (Bring Your Own Disaster) to your control network

I have to confess I'm an "Apple Funboy". I used my iPads everyday to browse news, twitter, Cyber Security Blogs, etc.
Some days ago, I was browsing exploit-db.com as I used to do when working in IT Security projects. One of the first exploits I saw was related with an iPad application to transfer contents using WIFI (Air transfer from Darinshoft).



When I saw the description I couldn't believe it could be so easy and dangerous, so I downloaded and installed the App on my iPad. I try the exploit from my MacBook and ..... Bingo!!
I could crash the application and get contents although the web interface access was password protected.
(Exploit was communicated on August the 19th and Application is not yet patched)

All that made me think about the Mobile Apps to connect to SCADA systems and the IoT solutions big Automation Companies are designing.
Then I remember a nice article from Eric Byrnes that described the Software Quality problem the ICS have to face in a daily basis.

 "Academic research tells us that most commercial software contains 3 - 10 defects for every thousand lines of code (KLOC), and that 1% to 5% of these result in vulnerabilities. That works out to between 0.03 and 0.5 vulnerabilities per KLOC."

Translating those concepts to the Apple Store (September 2014) we could find the following:


So even supposing the smallest App size and the smallest vulnerability  impact rate, we are talking about millions of vulnerabilities only in the Apple Mobile Apps world.
If we do the same with Google Play, results roughly could doubled this.

We need to go back to basics and define security requirements from the very beginning in every App development  (Server, Desktop or Mobile), and be very cautious when thinking in applying these fancy iPads Apps in ICS. Even if your CEO is asking for the same solution he saw in his last meeting with other colleagues.





Posted by at

Thursday, September 11, 2014

Who the hell are you trusting on your Cyber Security Team?

Recently I found some paper published by one Center dependent from the US Department of Homeland Security:


In this paper they advised about the insiders threat and they gave some clues to detect strange behavior on your inner personnel:


It was very impressive:  100% of my Cyber Security consultants team match these indicators !!!!!

Now I am looking for good Cyber Security engineers that never access networks at odd times, only works 8 hours on labors days, never attend cell phone when out of the office or in Holidays, never read classified material, never show any interest on anything outside his perimeter and, most important, never enjoy a good beer after a long day of tapping, sniffing, tag classification and graph creation day!!!!

Surprisingly I am not finding any candidate !!!! Do you know why is this?

(You can find the whole paper Here )
Posted by at

Wednesday, September 10, 2014

"Close the Door Campaign" is becoming popular

Surprisingly, today I found this tweet from 



We are Top 10 !!!
I will continue the campaign until every Spanish ICS open port disappear from the Map!!!
Posted by at

Thursday, September 4, 2014

The Dragonfly campaign hangover in Spain (II)

I know Internet ICS open ports were not Dragonfly attack vectors but, in my opinion, that's not a good practice. There are a lot of open source and commercial solutions to access your industrial control devices over Internet in a secure and controlled way.

So, what the results were? .....



In this table you can see that the number of devices with these four open ICS protocol ports grew in the period.
On the other hand, the percentage of spanish open port devices compared with the total worldwide open port devices grew for ICCP and MODBUS TCP protocols, but decrease when talking about EthernetIP and BacNET protocols.

The summary data for the period is the following:
  • Total open ports worldwide
  • Total open ports in Spain
  • Percentage of Spanish devices over worldwide devices



Some findings:
  • Having in mind that the Spanish Gross Domestic Product on 2013 was just 1,83% of the worldwide GDP, every percentage protocol is over that. (Sometimes 3 or 4 times over)
  • Although the growth in the period is not big, it is a tendency just one month after a serious incident on industrial control systems organizations. Is our Cyber Security awareness growing in Spain? (I don't think so)
  • Most of the systems recorded by SHODAN were installed in critical sectors (as the banners showed). 
Some easy advices:
  • Shodan yourself!!!!. (It's Free and easy)
  • Ask your ICS provider for secure remote access solutions if you really need it.
  • Read this Blog peridically. (It's Free as well)




Posted by at

The Dragonfly campaign hangover in Spain

Living in Spain and working in the Critical Infrastructure protection sector is a Risky Business.
On July I was very busy trying to know what the Dragonfly real impact in Spain was and writing some articles to increase Cyber Security awareness in Spanish Utility Companies.



Seems like after being "World Champions" on infections, companies should have taken some basic counter measures. (Maybe the simplest one could be an external black box audit to check the external visibility for the company infrastructure and services.)

But after twenty years trying to improve our Security level and knowing how things use to be managed here, I decided to try a little experiment.

From August the 14th and until Today I have been making some Shodan searching once a day to collect the worldwide and Spanish number of Internet open ports for the most famous industrial control protocols:

  • ICCP/S7 (102 TCP)
  • Modbus (502 TCP)
  • EthernetIP (44818 TCP)
  • BacNET (47808 UDP)

My bet was that situation would improve in the weeks to come, but if you want to know what the results were, stay tuned until my next post.
Posted by at
Subscribe to: Posts (Atom)