Cybersecurity

The 2010s, When Hacking Moved from “Novelty” to “Fact of Life”

With the 2010s coming to a close, Wired magazine takes its readers on “an anxiety-inducing stroll” through a review of some of the worst hacks that occurred in the last decade. It notes that these hacks demonstrated that cyber incidents have become less of a novelty and more of a fact of life for billions of people around the world. One of the incidents revisited by Wired is that involving the Stuxnet malware that caused physical damage to equipment at a nuclear enrichment facility, a kind of attack that experts have warned could be conducted in other industrial settings.

Read more about The 2010s, When Hacking Moved from “Novelty” to “Fact of Life”

Exposed Databases Are as Bad as Data Breaches

A review of some of the most significant data breaches from the past year reveals that many resulted not because of a hacker having to apply exceptional technical prowess to infiltrate a system but as a consequence of an administrator having left the information sitting on the Internet by mistake. The problem is pervasive, according to Chris Vickery, a researcher at security company UpGuard who tracks database exposures. "It is the ugly elephant in the room that every security professional knows about, but doesn't want to talk about," he said.

Read more about Exposed Databases Are as Bad as Data Breaches

Quantifying OT Cyber Risk Through Comprehensive OT Asset Inventories

Quantifying OT cyber risk requires empirical facts. In a compendium to WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities, industrial cybersecurity firm Verve Industrial proposes the best way to gain empirical knowledge of OT environments is through comprehensive asset inventories based on real time, multi-contextual parameters. Verve’s article aims to help separate fact from fiction and varying opinions on what components are the most important when trying to secure OT environments.

Read more about Quantifying OT Cyber Risk Through Comprehensive OT Asset Inventories

Addressing OT Cybersecurity Strategy in the New Year

While one cybersecurity strategy does not fit all organization types, there are common questions that all organizations should ask themselves when embarking on a new year. Critical infrastructure cybersecurity firm Applied Risk poses four basic questions and offers approaches to drive OT cybersecurity initiatives for 2020 and beyond. From risk assessments and policies and procedures, to cybersecurity culture and teaming exercises, many of their suggestions coincide with WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.

Read more about Addressing OT Cybersecurity Strategy in the New Year

Reliable Controls MACH-ProWebCom/Sys (ICSA-19-353-04)

CISA has published an advisory on a cross-site scripting vulnerability in Reliable Controls MACH-ProWebCom/Sys. For both MACH-ProWebSys and MACH-ProWebCom, all versions prior to 2.15 (firmware version prior to 8.26.4) are affected. Successful exploitation of this vulnerability could allow an attacker to execute commands on behalf of the affected user. Reliable Controls has released MACH-ProWebCom/Sys firmware revision 8.26.4 and software revision 2.15 to resolve the vulnerability. CISA also recommends a series of measures to mitigate the vulnerability.

Read more about Reliable Controls MACH-ProWebCom/Sys (ICSA-19-353-04)

Equinox Control Expert (ICSA-19-353-02)

CISA has published an advisory on an improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Equinox Control Expert. All current and older versions could be affected. Successful exploitation of this vulnerability may allow remote code execution. Equinox has not responded to requests to provide mitigating details regarding this vulnerability. CISA will update its advisory with any information provided by the vendor. In the meantime, CISA recommends a series of measures to mitigate the vulnerability.

Read more about Equinox Control Expert (ICSA-19-353-02)

WECON PLC Editor (ICSA-19-353-03) – Products Used in the Water and Wastewater and Energy Sectors

CISA has published an advisory on a stack-based buffer overflow vulnerability in WECON PLC Editor. Version 1.3.5_20190129 is affected. Successful exploitation could allow an attacker to execute code under the privileges of the application. WECON has a strategy to address the issues and is currently developing a solution. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.

Read more about WECON PLC Editor (ICSA-19-353-03) – Products Used in the Water and Wastewater and Energy Sectors

Moxa EDS Ethernet Switches (ICSA-19-353-01) – Products Used in the Water and Wastewater and Energy Sectors

CISA has published an advisory on an uncontrolled resource consumption vulnerability in Moxa EDS Ethernet Switches. For EDS-G508E, EDS-G512E, and EDS-G516E, versions 6.0 and prior are affected. Successful exploitation of this vulnerability could cause the target device to go out of service. Moxa has developed a patch to address the vulnerability. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.

Read more about Moxa EDS Ethernet Switches (ICSA-19-353-01) – Products Used in the Water and Wastewater and Energy Sectors

Omron CX-Supervisor (Update A) (ICSA-19-318-04) – Product Used in the Energy Sector

December 19, 2019

CISA has updated this advisory with additional details on the nature of the vulnerability. Read the advisory at CISA.

November 18, 2019

Read more about Omron CX-Supervisor (Update A) (ICSA-19-318-04) – Product Used in the Energy Sector

AVEVA Vijeo Citect and Citect SCADA (Update A) (ICSA-19-290-01) - Product Used in the Energy Sector

December 19, 2019

CISA has updated this advisory with additional details on the affected equipment, the risk evaluation, the affected products, and mitigation measures. Read the advisory at CISA.

October 22, 2019

Read more about AVEVA Vijeo Citect and Citect SCADA (Update A) (ICSA-19-290-01) - Product Used in the Energy Sector

You are here

Cybersecurity

The 2010s, When Hacking Moved from “Novelty” to “Fact of Life”

Exposed Databases Are as Bad as Data Breaches

Quantifying OT Cyber Risk Through Comprehensive OT Asset Inventories

Addressing OT Cybersecurity Strategy in the New Year

Reliable Controls MACH-ProWebCom/Sys (ICSA-19-353-04)

Equinox Control Expert (ICSA-19-353-02)

WECON PLC Editor (ICSA-19-353-03) – Products Used in the Water and Wastewater and Energy Sectors

Moxa EDS Ethernet Switches (ICSA-19-353-01) – Products Used in the Water and Wastewater and Energy Sectors

Omron CX-Supervisor (Update A) (ICSA-19-318-04) – Product Used in the Energy Sector

AVEVA Vijeo Citect and Citect SCADA (Update A) (ICSA-19-290-01) - Product Used in the Energy Sector

Pages

You are here

Cybersecurity

Pages

Footer Email Signup