Considerations for Making ICS Networks Comply with CMMC
January 26, 2021
1. Background
In early 2020, the US Department of Defense (DOD) released the Cybersecurity Maturity Model Classification (CMMC).
On average, the USA loses USD 600 billion a year to adversaries in the cyberspace. Currently, the DOD has about 300,000 contractors, covering a variety of fields from hypersonic weapons to leather factories. Of all these contractors, about 290,000 virtually have no cybersecurity measures. In the past few years, the US Government has stepped up efforts in regulating the defense supply chain, with cybersecurity as the top concern.
(more…)Non-negligible ICS Security Risks — Device Simulator Security
January 23, 2021
Background
To facilitate debugging and analysis by developers, a lot of master computer configuration software often comes with a simulator that simulates a real programmable logic controller (PLC) or human-machine interface (HMI) device. Such simulators exchange data with master computer configuration software through TCP/IP and therefore some will listen on a designated port which is sometimes even bound to the IP address 0.0.0.0 and open to other remote users.
As simulators may share the code base with real devices, vulnerabilities in simulators will affect real devices and vice versa, especially vulnerabilities in private protocols such as remote code execution vulnerabilities caused by buffer overflows. If simulators provide a publically available service that contains a high-risk vulnerability, attackers could exploit it to compromise developers’ hosts for further penetration.
(more…)