Encari security awareness bulletin volume VIII issue i r1 0
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (809.41 KB, 26 trang )
Essential
NERC CIP
Security Awareness Bulletin
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Table of Contents
Threats, Vulnerabilities and Incidents....................................................................................................... 8
Cisco Security Advisory (cisco-sa-20160330-fp): Cisco Firepower Malware Block Bypass
Vulnerability....................................................................................................................................................... 8
US-CERT Alert (TA16-091A): Ransomware and Recent Variants................................................ 8
ICS-CERT Alert (IR-ALERT-H-16-056-01): Cyber-Attack Against Ukrainian Critical
Infrastructure .................................................................................................................................................... 8
ICS-CERT Advisory (ICSA-16-084-01):
Cogent DataHub Elevation of Privilege
Vulnerability....................................................................................................................................................... 9
ICS-CERT Advisory (ICSA-16-082-01):
Siemens APOGEE Insight Incorrect File
Permissions Vulnerability............................................................................................................................. 9
ICS-CERT Advisory (ICSA-16-077-01A):
ABB Panel Builder 800 DLL Hijacking
Vulnerability (Update A) ............................................................................................................................... 9
ICS-CERT Advisory (ICSA-16-075-01): Siemens SIMATIC S7-1200 CPU Protection
Mechanism Failure .......................................................................................................................................... 9
ICS-CERT Advisory (ICSA-16-070-01): Schneider Electric Telvent RTU Improper Ethernet
Frame Padding Vulnerability ....................................................................................................................... 9
ICS-CERT Advisory (Advisory (ICSA-16-063-01): Moxa ioLogik E2200 Series Weak
Authentication Practices ............................................................................................................................ 10
ICS-CERT Advisory (Advisory (ICSA-16-061-01): Schneider Electric Building Operation
Automation Server Vulnerability ............................................................................................................ 10
ICS-CERT Advisory (Advisory (ICSA-16-061-02): Rockwell Automation Allen-Bradley
CompactLogix Reflective Cross-Site Scripting Vulnerability........................................................ 10
ICS-CERT Advisory (ICSA-16-049-01): B+B SmartWorx VESP211 Authentication Bypass
Vulnerability.................................................................................................................................................... 10
ICS-CERT Advisory (ICSA-16-049-02): AMX Multiple Products Credential Management
Vulnerabilities ................................................................................................................................................ 10
ICS-CERT Advisory (ICSA-16-040-01): Tollgrade SmartGrid Sensor Management System
Software Vulnerabilities ............................................................................................................................. 11
ICS-CERT Advisory (ICSA-16-040-02): Siemens SIMATIC S7-1500 CPU Vulnerabilities 11
ICS-CERT Advisory (Advisory (ICSA-16-033-01): Sauter moduWeb Vision Vulnerabilities
.............................................................................................................................................................................. 11
ICS-CERT Advisory (ICSA-16-033-02): GE SNMP/Web Interface Vulnerabilities .............. 11
ICS-CERT Advisory (ICSA-16-028-01):
Westermo Industrial Switch Hard-coded
Certificate Vulnerability ............................................................................................................................. 11
ICS-CERT Advisory (ICSA-16-026-01): MICROSYS PROMOTIC Memory Corruption
Vulnerability.................................................................................................................................................... 11
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 2 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
ICS-CERT Advisory (Advisory (ICSA-16-021-01):
CAREL PlantVisor Enhanced
Authentication Bypass Vulnerability ..................................................................................................... 11
ICS-CERT Advisory (ICSA-15-337-02): Hospira Multiple Products Buffer Overflow
Vulnerability.................................................................................................................................................... 12
ICS-CERT Advisory (ICSA-16-019-01): Siemens OZW672 and OZW772 XSS Vulnerability
.............................................................................................................................................................................. 12
ICS-CERT Advisory (ICSA-16-014-01): Advantech WebAccess Vulnerabilities .................. 12
ICS-CERT Advisory (ICSA-15-356-01): Siemens RUGGEDCOM ROX-based Devices NTP
Vulnerabilities ................................................................................................................................................ 12
ICS-CERT Advisory (ICSA-15-351-01): Schneider Electric Modicon M340 Buffer Overflow
Vulnerability.................................................................................................................................................... 12
ICS-CERT Advisory (ICSA-15-351-02):
Motorola MOSCAD SCADA IP Gateway
Vulnerabilities ................................................................................................................................................ 13
ICS-CERT Advisory (ICSA-15-351-03): eWON Vulnerabilities................................................... 13
ICS-CERT Advisory (ICSA-15-349-01): Adcon Telemetry A840 Vulnerabilities ................. 13
ICS-CERT Advisory (ICSA-15-344-01B): Advantech EKI Vulnerabilities (Update B)........ 13
Vulnerability Note (VU# 732760): Autodesk Backburner Manager contains a stack-based
buffer overflow vulnerability ................................................................................................................... 13
Vulnerability Note (VU# 319816): npm fails to restrict the actions of malicious npm
package.............................................................................................................................................................. 13
Vulnerability Note (VU# 27947): Granite Data Services AMF framework fails to properly
parse XML input containing a reference to external entities ....................................................... 14
Vulnerability Note (VU# 897144): Solarwinds Dameware Remote Mini Controller
Windows service is vulnerable to stack buffer overflow ............................................................... 14
Vulnerability Note (VU# 713312): DTE Energy Insight app vulnerable to information
exposure ........................................................................................................................................................... 14
Vulnerability Note (VU# 270232): Quagga bgpd with BGP peers enabled for VPNv4
contains a buffer overflow vulnerability .............................................................................................. 14
Vulnerability Note (VU# 583776): Network traffic encrypted using RSA-based SSL
certificates over SSLv2 may be decrypted by the DROWN attack.............................................. 14
Vulnerability Note (VU# 938151): Forwarding Loop Attacks in Content Delivery
Networks may result in denial of service ............................................................................................ 14
Vulnerability Note (VU# 419128): IKE/IKEv2 protocol implementations may allow
network amplification attacks ................................................................................................................. 15
Vulnerability Note (VU# 444472): QNAP Signage Station and iArtist Lite contain multiple
vulnerabilities ................................................................................................................................................. 15
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 3 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Vulnerability Note (VU# 981271): Multiple wireless keyboard/mouse devices use an
unsafe proprietary wireless protocol .................................................................................................... 15
Vulnerability Note (VU# 485744): Flexera Software FlexNet Publisher lmgrd contains a
buffer overflow vulnerability ................................................................................................................... 15
Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple
vendors contains hard-coded credentials ........................................................................................... 15
Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple
vendors contains hard-coded credentials ........................................................................................... 15
Vulnerability Note (VU# 923388): Swann SRNVW-470 allows unauthorized access to
video stream and contains a hard-coded password ........................................................................ 15
Vulnerability Note (VU# 457759): glibc vulnerable to stack buffer overflow in DNS
resolver ............................................................................................................................................................. 15
Vulnerability Note (VU# 507216): Hirschmann "Classic Platform" switches reveal
administrator password in SNMP community string by default ................................................ 15
Vulnerability Note (VU# 327976): Cisco Adaptive Security Appliance (ASA) IKEv1 and
IKEv2 contains a buffer overflow vulnerability ................................................................................ 16
Vulnerability Note (VU# 305096): Comodo Chromodo browser with Ad Sanitizer does not
enforce same origin policy and is based on an outdated version of Chromium ................... 16
Vulnerability Note (VU# 777024): Netgear Management System NMS300 contains
arbitrary file upload and path traversal vulnerabilities ................................................................ 16
Vulnerability Note (VU#544527): OpenELEC and RasPlex have a hard-coded SSH root
password .......................................................................................................................................................... 16
Vulnerability Note (VU# 972224): Huawei Mobile WiFi E5151 and E5186 routers use
insufficiently random values for DNS queries ................................................................................... 16
Vulnerability Note (VU# 257823): OpenSSL re-uses unsafe prime numbers in DiffieHellman protocol ........................................................................................................................................... 16
Vulnerability Note (VU# 992624): Harman AMX multimedia devices contain hard-coded
credentials........................................................................................................................................................ 16
Vulnerability Note (VU# 916896): Oracle Outside In 8.5.2 contains multiple stack buffer
overflows .......................................................................................................................................................... 16
Vulnerability Note (VU# 772447): ffmpeg and Libav cross-domain information disclosure
vulnerability .................................................................................................................................................... 17
Vulnerability Note (VU# 456088): OpenSSH Client contains a client information leak
vulnerability and buffer overflow ........................................................................................................... 17
Vulnerability Note (VU# 753264): IPSwitch WhatsUp Gold does not validate commands
when deserializing XML objects .............................................................................................................. 17
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 4 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Vulnerability Note (VU# 820196): Furuno Voyage Data Recorder (VDR) moduleserv
firmware update utility fails to properly sanitize user-provided input .................................. 17
Security Publications, Tips, Tools and Solutions .................................................................................... 17
NISTIR 8055: Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of
Concept Research .......................................................................................................................................... 17
NISTIR 8054: NSTIC Pilots: Catalyzing the Identity Ecosystem................................................. 17
NISTIR 7511 Rev. 4: Security Content Automation Protocol (SCAP) Version 1.2 Validation
Program Test Requirements ..................................................................................................................... 18
NIST Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation:
Methods for Format-Preserving Encryption ...................................................................................... 18
NIST Special Publication 800-171: Protecting Controlled Unclassified Information in
Nonfederal Information Systems Organizations............................................................................... 18
NIST Special Publication 800-125B: Secure Virtual Network Configuration for Virtual
Machine (VM) Protection ........................................................................................................................... 19
NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification ............. 19
NIST Special Publication 800-57 Part 1 Rev. 4: Recommendation for Key Management,
Part 1: General ................................................................................................................................................ 19
ICS-CERT Releases CSET 7.1 ..................................................................................................................... 19
ICS-CERT Fact Sheets ................................................................................................................................... 19
NERC Compliance Tools and Resources .................................................................................................. 20
Final Lesson Learned Posted .................................................................................................................... 20
CIP V5 Evidence Request Spreadsheets Available ........................................................................... 20
Highlight on CIP V5 Program Resources .............................................................................................. 21
FERC Orders............................................................................................................................................... 21
Order No. 822: Revised Critical Infrastructure Protection Reliability Standards ............... 21
RM15-14-000: Letter Order Granting Extension of Time for Revised CIP V5 Reliability
Standards.......................................................................................................................................................... 21
NERC Filings with FERC ............................................................................................................................ 21
RM15-14-000: Comments of NERC in Response to Trade Associations' Motion in the
Revised CIP Standards Proceeding......................................................................................................... 21
Pending Legislation ................................................................................................................................... 22
H.R.4350 - To repeal the Cybersecurity Act of 2015 ....................................................................... 22
S.2665 - State and Local Cyber Protection Act of 2016 .................................................................. 22
H.R.4743 - National Cybersecurity Preparedness Consortium Act of 2016 ........................... 22
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 5 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
H.R.4860 - United States - Israel Cybersecurity Cooperation Act .............................................. 22
Upcoming Events ....................................................................................................................................... 22
FRCC Spring Compliance Workshop ...................................................................................................... 22
Texas RE Spring 2016 Standards & Compliance Workshop......................................................... 22
ICSJWG 2016 Spring Meeting ................................................................................................................... 22
Industrial Control Systems Cybersecurity (301) Training............................................................ 22
FRCC 2016 CIP Compliance Workshop................................................................................................. 22
SPP RE CIP Workshop ................................................................................................................................. 22
MRO Reliability Conference Protection Systems ........................................................................... 23
FERC Reliability Technical Conference ................................................................................................. 23
NERC 2016 Standards & Compliance Workshop .............................................................................. 23
Texas RE Compliance 101 Workshop ................................................................................................... 23
MRO Security Conference .......................................................................................................................... 23
SERC CIP Compliance Seminar................................................................................................................. 23
RF Fall Workshop .......................................................................................................................................... 23
TRE Fall Standards & Compliance Workshop .................................................................................... 23
NERC GridSecCon 2016 .............................................................................................................................. 23
SERC Fall Compliance Seminar ................................................................................................................ 23
WECC CUG & CIPUG ...................................................................................................................................... 23
FRCC Compliance Fall Workshop ............................................................................................................ 23
NPCC Compliance Workshop .................................................................................................................... 23
MRO CMEP Conference ............................................................................................................................... 23
Looking for a Helpful Resource? .............................................................................................................. 23
Encari s Website ............................................................................................................................................ 23
NERC CIP Compliance LinkedIn Group ................................................................................................. 23
Encari s Email Distribution List ............................................................................................................... 23
NERC CIP Version 5 Indices ...................................................................................................................... 24
Quarterly Security Awareness Resources ........................................................................................... 24
NERC CIP Compliance Webinars ............................................................................................................. 24
ICS-CERT Critical Infrastructure Feed Recently Published ....................................................... 24
SCADA Security Survival Guide ................................................................................................................ 24
ECT.COOP ......................................................................................................................................................... 25
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 6 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Contribute Control Systems Security Articles to Future ICSJWG Quarterly Newsletters . 25
RSS....................................................................................................................................................................... 25
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 7 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Threats, Vulnerabilities and Incidents
Cisco Security Advisory (cisco-sa-20160330-fp): Cisco Firepower Malware Block
Bypass Vulnerability
A vulnerability in the malicious file detection and blocking features of Cisco Firepower System
Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms
on an affected system.
The vulnerability is due to improper input validation of fields in HTTP headers. An attacker could
exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful
exploit could allow the attacker to bypass malicious file detection or blocking policies that are
configured for the system, which could allow malware to pass through the system undetected.
Cisco has released software updates that address this vulnerability. There are no workarounds that
address this vulnerability. For additional details and mitigation, click here.
US-CERT Alert (TA16-091A): Ransomware and Recent Variants
In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting
computers belonging to individuals and businesses, which included healthcare facilities and
hospitals worldwide. Ransomware is a type of malicious software that infects a computer and
restricts users access to it until a ransom is paid to unlock it
The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber
Incident Response Centre (CCIRC), is releasing this Alert to provide further information on
ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating,
and how users can prevent and mitigate against ransomware. For additional details and mitigation,
click here.
ICS-CERT Alert (IR-ALERT-H-16-056-01): Cyber-Attack Against Ukrainian Critical
Infrastructure
On December 23, 2015, Ukrainian power companies experienced unscheduled power outages
impacting a large number of customers in Ukraine. In addition, there have also been reports of
malware found in Ukrainian companies in a variety of critical infrastructure sectors. Public reports
indicate that the BlackEnergy BE malware was discovered on the companies computer networks
however it is important to note that the role of BE in this event remains unknown pending further
technical analysis.
An interagency team comprised of representatives from the National Cybersecurity and
Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT), U.S. Computer Emergency Readiness Team (US-CERT), Department of Energy,
Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to
Ukraine to collaborate and gain more insight. The Ukrainian government worked closely and openly
with the U.S. team and shared information to help prevent future cyber-attacks.
This report provides an account of the events that took place based on interviews with company
personnel. This report is being shared for situational awareness and network defense purposes. ICSCERT strongly encourages organizations across all sectors to review and employ the mitigation
strategies listed below.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 8 of 26
Volume VIII, Issue I: April, 2016
Encari Security Awareness Bulletin
Additional information on this incident including technical indicators can be found in the TLP GREEN
alert (IR-ALERT-H-16-043-01P and subsequent updates) that was released to the US-CERT secure
portal. US critical infrastructure asset owners and operators can request access to this information
by emailing For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-084-01):
Vulnerability
Cogent DataHub Elevation of Privilege
Steven Seeley of Source Incite has identified a privilege elevation vulnerability in the Cogent DataHub
application produced by Cogent Real-Time Systems, Inc. Cogent has produced a new version to
mitigate this vulnerability. Steven Seeley has tested the new version to validate that it resolves the
vulnerability. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-082-01):
Permissions Vulnerability
Siemens APOGEE Insight Incorrect File
Siemens has identified an incorrect file permissions vulnerability in APOGEE Insight. Network &
Information Security Ltd. Company and HuNan Quality Inspection Institute reported this issue
directly to Siemens. Siemens has provided workaround instructions to mitigate this vulnerability.
For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-077-01A):
Vulnerability (Update A)
ABB Panel Builder 800 DLL Hijacking
This updated advisory is a follow-up to the original advisory titled ICSA-16-077-01 ABB Panel Builder
800 DLL Hijacking Vulnerability that was published March 17, 2016, on the NCCIC/ICS-CERT web
site.
Ivan Sanchez from Nullcode Team has identified a DLL Hijacking vulnerability in the ABB Panel
Builder 800 Version 5.1 application.
Panel Builder Version 6.0 is not affected by this vulnerability.
For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-075-01): Siemens SIMATIC S7-1200 CPU Protection
Mechanism Failure
Siemens has identified a protection mechanism failure vulnerability in old firmware versions of
SIMATIC S7-1200. Maik Brüggemann and Ralf Spenneberg from Open Source Training reported this
issue directly to Siemens. Siemens provides SIMATIC S7-1200 CPU product, release V4.0 or newer,
to mitigate this vulnerability and recommends keeping the firmware up to date. This vulnerability
could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-070-01):
Ethernet Frame Padding Vulnerability
Schneider Electric Telvent RTU Improper
David Formby and Raheem Beyah of Georgia Tech have identified a vulnerability caused by an
Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame
padding in Schneider Electric s Telvent SAGE
and
remote terminal units RTUs
Schneider Electric has already released a revision that eliminates this vulnerability. This advisory
serves as a notification of a new vulnerability in the previous software version. The researchers have
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 9 of 26
Volume VIII, Issue I: April, 2016
Encari Security Awareness Bulletin
tested the revision to validate that it resolves the reported vulnerability. For additional details and
mitigation, click here.
ICS-CERT Advisory (Advisory (ICSA-16-063-01): Moxa ioLogik E2200 Series Weak
Authentication Practices
This advisory is a follow-up to the alert titled ICS-ALERT-15-224-04 Moxa ioLogik E2210
Vulnerabilitiesa that was published August 12, 2015, on the NCCIC/ICS-CERT web site.
Independent researcher Aditya Sood reported weak authentication vulnerabilities in Moxa ioLogik
E2200 Ethernet Micro RTU controllers. Moxa has produced a network security enhancement to
mitigate these vulnerabilities. These vulnerabilities could be exploited remotely. Exploits that target
these vulnerabilities are publicly available. For additional details and mitigation, click here.
ICS-CERT Advisory (Advisory (ICSA-16-061-01):
Operation Automation Server Vulnerability
Schneider Electric Building
Independent researcher Karn Ganeshen has identified a vulnerability in servers programmed with
Schneider Electric s StruxureWare Building Operation software. Schneider Electric has produced a
new version to mitigate this vulnerability. This vulnerability could be exploited remotely. For
additional details and mitigation, click here.
ICS-CERT Advisory (Advisory (ICSA-16-061-02): Rockwell Automation Allen-Bradley
CompactLogix Reflective Cross-Site Scripting Vulnerability
This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site.
Independent researcher Aditya Sood has identified a cross-site scripting vulnerability in Rockwell
Automation s CompactLogix controller This vulnerability has been publicly disclosed. Rockwell
Automation has produced a new firmware version to mitigate this vulnerability. This vulnerability
could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-049-01):
Bypass Vulnerability
B+B SmartWorx VESP211 Authentication
Independent researcher Maxim Rupp has identified an authentication bypass vulnerability in B+B
SmartWorx s VESP
serial servers B B SmartWorx has produced an implementation plan to
mitigate this vulnerability. This vulnerability could be exploited remotely. For additional details and
mitigation, click here.
ICS-CERT Advisory (ICSA-16-049-02): AMX Multiple Products Credential Management
Vulnerabilities
NCCIC/ICS-CERT has become aware of public reporting of credential management vulnerabilities in
multiple Harman AMX multimedia devices. AMX has confirmed the existence of hard-coded
passwords in multiple products. AMX has produced patches and new product versions to mitigate
one of the vulnerabilities in the affected products. AMX is working to release new product versions
to mitigate the remaining credential management vulnerability in their affected products. These
vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are known to be
publicly available. For additional details and mitigation, click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 10 of 26
Volume VIII, Issue I: April, 2016
Encari Security Awareness Bulletin
ICS-CERT Advisory (ICSA-16-040-01):
System Software Vulnerabilities
Tollgrade SmartGrid Sensor Management
Independent researcher Maxim Rupp has identified vulnerabilities in Tollgrade Communications,
)nc s SmartGrid Light(ouse Sensor Management System (SMS) Software EMS. Tollgrade
Communications, Inc. has produced an update to mitigate these vulnerabilities. Maxim Rupp has
tested the update to validate that it resolves the vulnerabilities. These vulnerabilities could be
exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-040-02): Siemens SIMATIC S7-1500 CPU Vulnerabilities
Siemens has identified two vulnerabilities in the Siemens SIMATIC S7-1500 CPU family. Siemens has
produced a firmware update to mitigate these vulnerabilities. These vulnerabilities could be
exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory
Vulnerabilities
(Advisory
(ICSA-16-033-01):
Sauter
moduWeb
Vision
Martin Jartelius and John Stock of Outpost
have identified three vulnerabilities in Sauter s
moduWeb Vision application. Sauter has produced a new firmware version to mitigate these
vulnerabilities. The researchers have tested the new firmware version to validate that it resolves the
vulnerabilities. These vulnerabilities could be exploited remotely. For additional details and
mitigation, click here.
ICS-CERT Advisory (ICSA-16-033-02): GE SNMP/Web Interface Vulnerabilities
Independent researcher Karn Ganeshen has identified two vulnerabilities in the GE SNMP/Web
Interface adapter. GE has produced a new firmware version to mitigate the identified vulnerabilities
in later model devices. Earlier model SNMP/Web Interface adapters may need to be upgraded to
accommodate the new firmware version to address the identified vulnerabilities. These
vulnerabilities could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-028-01):
Certificate Vulnerability
Westermo Industrial Switch Hard-coded
Independent researcher Neil Smith has identified a hard-coded certificate vulnerability in
Westermo s industrial switches Westermo has developed an update to allow the web interface
certificate to be changed. Neil Smith has tested the update to validate that it resolves the vulnerability.
This vulnerability could be exploited remotely after a successful man-in-the-middle attack. For
additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-026-01):
Vulnerability
MICROSYS PROMOTIC Memory Corruption
Security researcher Praveen Darshanam of Versa Networks has identified a memory corruption
vulnerability in the MICROSYS, spol. s.r.o. PROMOTIC application. MICROSYS has produced a new
version to mitigate this vulnerability. The researcher has tested the new version to validate that it
resolves the vulnerability. For additional details and mitigation, click here.
ICS-CERT Advisory (Advisory (ICSA-16-021-01):
Authentication Bypass Vulnerability
CAREL PlantVisor Enhanced
)ndependent researcher Maxim Rupp has identified an authorization bypass vulnerability in CAREL s
PlantVisor application. CAREL has confirmed that this vulnerability refers to the phased-out CAREL
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 11 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
product PlantVisorEnhanced and is no longer supported. This vulnerability could be exploited
remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-15-337-02): Hospira Multiple Products Buffer Overflow
Vulnerability
This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and
is being released to the NCCIC/ICS-CERT web site.
Jeremy Richards of SA)NT Corporation has identified a buffer overflow vulnerability in (ospira s
LifeCare PCA Infusion System. Hospira has determined that LifeCare PCA Infusion Systems released
prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable.
)n response to Jeremy Richards reported vulnerability (ospira has assessed other products and
determined that Plum A+/A+3 Infusion Systems, released prior to March 2009 and running CE
Version 1.0 or earlier versions, also contain the identified vulnerability. Hospira has confirmed that
LifeCare PCA and Plum A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after
the aforementioned dates, are not vulnerable. This vulnerability could be exploited remotely. For
additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-16-019-01):
Vulnerability
Siemens OZW672 and OZW772 XSS
Independent researcher Aditya Sood has identified a cross-site scripting vulnerability in Siemens
OZW672 and OZW772 devices. Siemens has produced a firmware update to mitigate this
vulnerability. This vulnerability could be exploited remotely. For additional details and mitigation,
click here.
ICS-CERT Advisory (ICSA-16-014-01): Advantech WebAccess Vulnerabilities
Ilya Karpov of Positive Technologies, Ivan Sanchez, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands,
Steven Seeley, and an anonymous researcher have identified multiple vulnerabilities in Advantech
WebAccess application. Many of these vulnerabilities were reported through the Zero Day Initiative
(ZDI) and iDefense. Advantech has produced a new version to mitigate these vulnerabilities. Ivan
Sanchez has tested the new version to validate that it resolves the vulnerabilities which he reported.
These vulnerabilities could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-15-356-01): Siemens RUGGEDCOM ROX-based Devices NTP
Vulnerabilities
Siemens has reported to NCCIC/ICS-CERT that NTP daemon vulnerabilities exist in the Siemens
RUGGEDCOM ROX-based devices. Siemens has produced firmware updates to mitigate these
vulnerabilities. These vulnerabilities could be exploited remotely. For additional details and
mitigation, click here.
ICS-CERT Advisory (ICSA-15-351-01):
Overflow Vulnerability
Schneider Electric Modicon M340 Buffer
David Atch of CyberX has identified a buffer overflow vulnerability in Schneider Electric s Modicon
M340 PLC product line. Schneider Electric has produced a new firmware patch to mitigate this
vulnerability. This vulnerability could be exploited remotely. For additional details and mitigation,
click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 12 of 26
Volume VIII, Issue I: April, 2016
Encari Security Awareness Bulletin
ICS-CERT Advisory (ICSA-15-351-02):
Vulnerabilities
Motorola MOSCAD SCADA IP Gateway
Independent researcher Aditya K. Sood has identified Remote File Inclusion (RFI) and Cross-Site
Request Forgery (CSRF) vulnerabilities in Motorola Solutions MOSCAD )P Gateway Motorola
Solutions has confirmed this product was cancelled at the end of 2012 and no longer offer software
updates. These vulnerabilities could be exploited remotely. For additional details and mitigation,
click here.
ICS-CERT Advisory (ICSA-15-351-03): eWON Vulnerabilities
Independent researcher Karn Ganeshen has identified several vulnerabilities in the eWON sa
industrial router. eWON sa has produced an updated firmware to mitigate these vulnerabilities.
These vulnerabilities could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-15-349-01): Adcon Telemetry A840 Vulnerabilities
)ndependent researcher Aditya K Sood has identified vulnerabilities in Adcon Telemetry s A
Telemetry Gateway Base Station. Adcon Telemetry has stated that the A840 is an obsolete product
and is no longer supported. No patches or updates will be created for this product. Adcon Telemetry
sent a message to all known customers to offer to upgrade to a more secure and stable version. These
vulnerabilities could be exploited remotely. For additional details and mitigation, click here.
ICS-CERT Advisory (ICSA-15-344-01B): Advantech EKI Vulnerabilities (Update B)
This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI
Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site.
(D Moore of Rapid identified several vulnerabilities in Advantech s EK) Advantech has released
updated firmware to mitigate these vulnerabilities.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are
known to be publicly
For additional details and mitigation, click here.
Vulnerability Note (VU# 732760): Autodesk Backburner Manager contains a stack-based
buffer overflow vulnerability
Autodesk Backburner 2016, version 2016.0.0.2150 and earlier, fails to properly check the length of
command input which may be leveraged to create a denial of service condition or to execute arbitrary
code. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 319816): npm fails to restrict the actions of malicious npm package
npm allows packages to take actions that could result in a malicious npm package author to create a
worm that spreads across the majority of the npm ecosystem. For detailed description, impact and
solution, click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 13 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Vulnerability Note (VU# 27947): Granite Data Services AMF framework fails to properly parse
XML input containing a reference to external entities
Granite Data Services version 3.1.1-SNAPSHOT AMF framework is vulnerable to XML external entity
(XXE) attack that may be leveraged to expose sensitive data on the host. For detailed description,
impact and solution, click here.
Vulnerability Note (VU# 897144): Solarwinds Dameware Remote Mini Controller Windows
service is vulnerable to stack buffer overflow
Solarwinds Dameware Remote Mini Controller is a software for assisting in remote desktop
connections for helpdesk support. According to the reporter, the Solarwinds Dameware Remote Mini
Controller Windows service, dwrcs.exe, is vulnerable to stack-based buffer overflow. A remote
attacker sending carefully crafted data may be able to obtain private information or execute code.
The researcher has published an advisory with more information.
The CERT/CC has not been able to confirm this information with the vendor. For detailed description,
impact and solution, click here.
Vulnerability Note (VU# 713312): DTE Energy Insight app vulnerable to information
exposure
The DTE Energy Insight app lets DTE Energy customers track their energy usage. This information is
exposed via an HTTP REST API.
The API contains a parameter 'filter' that may be manipulated by an authenticated user. This
parameter determines the customer data to be returned by the server. By manipulating the 'filter'
parameter, an authorized user may be able to obtain and query limited customer information for
other users. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 270232): Quagga bgpd with BGP peers enabled for VPNv4 contains a
buffer overflow vulnerability
Quagga is a software routing suite that implements numerous routing protocols for Unix-based
platforms. A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not properly check
the upper-bound length of received Labeled-VPN SAFI routes data, which may allow for arbitrary
code execution on the stack. Note that hosts are only vulnerable if bgpd is running with BGP peers
enabled for VPNv4, which is not a default configuration. For more details, refer to the Quagga
changelog and commit notes. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 583776): Network traffic encrypted using RSA-based SSL certificates
over SSLv2 may be decrypted by the DROWN attack
Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2
handshake data can be collected. This is known as the "DROWN" attack in the media. For detailed
description, impact and solution, click here.
Vulnerability Note (VU# 938151): Forwarding Loop Attacks in Content Delivery Networks
may result in denial of service
Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop,
which consumes server resources and causes a denial of service (DoS) on the network. For detailed
description, impact and solution, click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 14 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Vulnerability Note (VU# 419128): IKE/IKEv2 protocol implementations may allow network
amplification attacks
Implementations of the IKEv2 protocol are vulnerable to network amplification attacks. For detailed
description, impact and solution, click here.
Vulnerability Note (VU# 444472): QNAP Signage Station and iArtist Lite contain multiple
vulnerabilities
The QNAP Signage Station prior to version 2.0.1 and the accompanying iArtist Lite application
contain multiple vulnerabilities. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 981271): Multiple wireless keyboard/mouse devices use an unsafe
proprietary wireless protocol
Wireless keyboard and mouse devices from multiple vendors use proprietary wireless protocols that
are not properly secured. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 485744): Flexera Software FlexNet Publisher lmgrd contains a buffer
overflow vulnerability
Flexera Software FlexNet Publisher, version 11.13.1.0 and earlier, lmgrd and custom vendor daemon
servers contain a buffer overflow vulnerability that may be leveraged to gain code execution. For
detailed description, impact and solution, click here.
Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors
contains hard-coded credentials
Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors
use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password. For
detailed description, impact and solution, click here.
Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors
contains hard-coded credentials
Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors
use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password. For
detailed description, impact and solution, click here.
Vulnerability Note (VU# 923388): Swann SRNVW-470 allows unauthorized access to video
stream and contains a hard-coded password
Swann network video recorder (NVR) devices contain a hard-coded password and do not require
authentication to view the video feed when accessing from specific URLs. For detailed description,
impact and solution, click here.
Vulnerability Note (VU# 457759): glibc vulnerable to stack buffer overflow in DNS resolver
GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote
attacker to execute arbitrary code. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 507216):
Hirschmann "Classic Platform" switches reveal
administrator password in SNMP community string by default
Hirschmann "Classic Platform" switches contain a password sync feature that syncs the switch
administrator password with the SNMP community password, exposing the administrator password
to attackers on the local network. For detailed description, impact and solution, click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 15 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
Vulnerability Note (VU# 327976): Cisco Adaptive Security Appliance (ASA) IKEv1 and IKEv2
contains a buffer overflow vulnerability
Cisco Adaptive Security Appliance (ASA) Internet Key Exchange versions 1 and 2 (IKEv1 and IKEv2)
contains a buffer overflow vulnerability that may be leveraged to gain remote code execution. For
detailed description, impact and solution, click here.
Vulnerability Note (VU# 305096): Comodo Chromodo browser with Ad Sanitizer does not
enforce same origin policy and is based on an outdated version of Chromium
Comodo Chromodo browser, version 45.8.12.391, and possibly earlier, bundles the Ad Sanitizer
extension, version 1.4.0.26, which disables the same origin policy, allowing for the possibility of
cross-domain attacks by malicious or compromised web hosts. Chromodo is based on an outdated
release of Chromium with known vulnerabilities. For detailed description, impact and solution, click
here.
Vulnerability Note (VU# 777024): Netgear Management System NMS300 contains arbitrary
file upload and path traversal vulnerabilities
Netgear Management System NMS300, version 1.5.0.11 and earlier, is vulnerable to arbitrary file
upload, which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM
privileges. A directory traversal vulnerability enables authenticated users to download arbitrary
files. For detailed description, impact and solution, click here.
Vulnerability Note (VU#544527): OpenELEC and RasPlex have a hard-coded SSH root
password
OpenELEC and derivatives utilize a hard-coded default root password, and enable SSH root access by
default. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 972224): Huawei Mobile WiFi E5151 and E5186 routers use
insufficiently random values for DNS queries
Huawei Mobile WiFi E5151, firmware version 21.141.13.00.1080, and E5186, firmware version
V200R001B306D01C00, use insufficiently random values for DNS queries and are vulnerable to DNS
spoofing attacks. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 257823): OpenSSL re-uses unsafe prime numbers in Diffie-Hellman
protocol
OpenSSL may generate unsafe primes for use in the Diffie-Hellman protocol, which may lead to
disclosure of enough information for an attacker to recover the private encryption key. For detailed
description, impact and solution, click here.
Vulnerability Note (VU# 992624): Harman AMX multimedia devices contain hard-coded
credentials
Multiple models of Harman AMX multimedia devices contain a hard-coded debug account. For
detailed description, impact and solution, click here.
Vulnerability Note (VU# 916896): Oracle Outside In 8.5.2 contains multiple stack buffer
overflows
Oracle Outside In versions 8.5.2 and earlier contain stack buffer overflow vulnerabilities in the
parsers for WK4, Doc, and Paradox DB files, which can allow a remote, unauthenticated attacker to
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 16 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
execute arbitrary code on a vulnerable system. For detailed description, impact and solution, click
here.
Vulnerability Note (VU# 772447): ffmpeg and Libav cross-domain information disclosure
vulnerability
ffmpeg and Libav cross-domain information disclosure vulnerability.
For detailed description,
impact and solution, click here.
Vulnerability Note (VU# 456088): OpenSSH Client contains a client information leak
vulnerability and buffer overflow
OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that
could allow an OpenSSH client to leak information not limited to but including private keys, as well
as a buffer overflow in certain non-default configurations. For detailed description, impact and
solution, click here.
Vulnerability Note (VU# 753264): IPSwitch WhatsUp Gold does not validate commands when
deserializing XML objects
IPSwitch WhatsUp Gold version 16.3 does not properly validate data when deserializing XML objects
sent over SOAP requests. For detailed description, impact and solution, click here.
Vulnerability Note (VU# 820196): Furuno Voyage Data Recorder (VDR) moduleserv firmware
update utility fails to properly sanitize user-provided input
Furuno Voyage Data Recorder (VDR) VR-3000/VR-3000S and VR-7000 moduleserv firmware update
utility fails to properly sanitize user-provided input and is vulnerable to arbitrary command
execution with root privileges. For detailed description, impact and solution, click here.
Security Publications, Tips, Tools and Solutions
NISTIR 8055: Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of
Concept Research
This report documents proof of concept research for Derived Personal Identity Verification (PIV)
Credentials. Smart card-based PIV Cards cannot be readily used with most mobile devices, such as
smartphones and tablets, but Derived PIV Credentials (DPCs) can be used instead to PIV-enable these
devices and provide multi-factor authentication for mobile device users. This report captures
existing requirements related to DPCs, proposes an architecture that supports these requirements,
and then demonstrates how such an architecture could be implemented and operated. To review
the document, click here.
NISTIR 8054: NSTIC Pilots: Catalyzing the Identity Ecosystem
Pilots are an integral part of the National Strategy for Trusted Identities in Cyberspace (NSTIC),
issued by the White House in 2011 to encourage enhanced security, privacy, interoperability, and
ease of use for online transactions. This document details summaries and outcomes of NSTIC pilots;
in addition it explores common themes in the pilots work developing and operating innovative
identity solutions. To review the document, click here.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 17 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
NISTIR 7511 Rev. 4: Security Content Automation Protocol (SCAP) Version 1.2
Validation Program Test Requirements
This report defines the requirements and associated test procedures necessary for products or
modules to achieve one or more Security Content Automation Protocol (SCAP) validations.
Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that
have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation
Program (NVLAP). To review the document, click here.
NIST Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation:
Methods for Format-Preserving Encryption
This publication specifies and approves the FF1 and FF3 encryption modes of operation of the AES
algorithm.
The previously approved encryption modes are not designed for non-binary data such as Social
Security numbers (SSNs); in particular, the decimal representation of an encrypted SSN might consist
of more than nine digits, so it would not look like an SSN.
By contrast, format-preserving encryption (FPE) methods such as FF1 and FF3 are designed for data
that is not necessarily binary. In particular, given any finite set of symbols, like the decimal numerals,
a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that
the encrypted form of the data has the same format, including the length, as the original data. Thus,
an FPE-encrypted SSN would be a sequence of nine decimal digits.
FPE modes facilitate the retrofitting of encryption technology to existing devices or software, where
a conventional encryption mode might not be feasible. In particular, database applications may not
support changes to the length or format of data fields.
More generally FPE can support the sanitization of databases i e the targeting of encryption to
personally identifiable information (PII), such as SSNs. The encrypted SSNs could still serve as an
index to facilitate statistical research, perhaps across multiple databases. An important caveat to this
application of FPE is that re-identification is sometimes feasible through the analysis of the
unencrypted data and other information.
The commercial impetus comes from the payments industry, where FPE methods have already been
deployed in merchants credit card readers To view the publication, click here.
NIST Special Publication 800-171: Protecting Controlled Unclassified Information in
Nonfederal Information Systems Organizations
The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information
systems and organizations is of paramount importance to federal agencies and can directly impact
the ability of the federal government to successfully carry out its designated missions and business
operations. This publication provides federal agencies with recommended requirements for
protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems
and organizations; (ii) when the information systems where the CUI resides are not used or operated
by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where
there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed
by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory
listed in the CUI Registry. The requirements apply to all components of nonfederal information
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 18 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
systems and organizations that process, store, or transmit CUI, or provide security protection for
such components. The CUI requirements are intended for use by federal agencies in contractual
vehicles or other agreements established between those agencies and nonfederal organizations. To
view the publication, click here.
NIST Special Publication 800-125B: Secure Virtual Network Configuration for Virtual Machine
(VM) Protection
Virtual machines (VMs) are key resources to be protected since they are the compute engines hosting
mission-critical applications. Since VMs are end nodes of a virtual network, the configuration of the
virtual network is an important element in the security of the VMs and their hosted applications. The
virtual network configuration areas discussed in this document are network segmentation, network
path redundancy, traffic control using firewalls, and VM traffic monitoring. This document analyzes
the configuration options under these areas and presents a corresponding set of recommendations
for secure virtual network configuration for VM protection. To view the publication, click here.
NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification
FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity
credential. FIPS 201 also specifies that this identity credential must be stored on a smart card. This
document, SP 800-73, contains the technical specifications to interface with the smart card to retrieve
and use the PIV identity credentials. The specifications reflect the design goals of interoperability and
PIV Card functions. The goals are addressed by specifying a PIV data model, card edge interface, and
application programming interface. Moreover, this document enumerates requirements where the
international integrated circuit card standards [ISO7816] include options and branches. The
specifications go further by constraining implementers interpretations of the normative standards
Such restrictions are designed to ease implementation, facilitate interoperability, and ensure
performance, in a manner tailored for PIV applications. To view the publication, click here.
NIST Special Publication 800-57 Part 1 Rev. 4: Recommendation for Key Management, Part 1:
General
This Recommendation provides cryptographic key management guidance. It consists of three parts.
Part 1 provides general guidance and best practices for the management of cryptographic keying
material. Part 2 provides guidance on policy and security planning requirements for U.S. government
agencies. Finally, Part 3 provides guidance when using the cryptographic features of current systems.
To view the publication, click here.
ICS-CERT Releases CSET 7.1
ICS-CERT released the latest version of its Cyber Security Evaluation Tool (CSET), CSET 7.1, in
February 2016. CSET provides a systematic, disciplined, and repeatable approach for evaluating an
organization s cybersecurity posture. CSET is a desktop software tool that guides asset owners and
operators through a step-by-step process to analyze their ICS and IT network security practices using
many recognized government and industry standards and recommendations.
CSET is distributed freely to the public. For additional information on CSET or to download a copy,
click here.
ICS-CERT Fact Sheets
ICS-CERT recently published eight updated fact sheets. Below are links to access each fact
sheet.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 19 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
1. Industrial Control Systems Cyber Emergency Response Team
2. Preparing for Cyber Incident Analysis
3. Industrial Control Systems Joint Working Group
4. Control Systems Architecture Analysis Services
5. Cyber Security Evaluation Tool
6. Cyber Resilience Review and Cyber Security Evaluation Tool
7. Training
8. Strategy for Securing Control Systems
NERC Compliance Tools and Resources
Final Lesson Learned Posted
To further ensure registered entity confidence in their transition to CIP V5, NERC continued to work
with the Regional Entities and stakeholder participants from the implementation study to develop
lessons learned and frequently asked questions on specific issues.
The final BES Cyber Assets Lesson Learned is posted to the CIP V5 transition page. The foundational
definition for the CIP Version 5 Reliability Standards is cyber assets. When cyber assets meet a
threshold of BES impact they become BES cyber assets (BCA), which may be grouped by responsible
entities into BES Cyber Systems BCS )n Order
FERC identified the definition of BCA as is
intended to capture assets involved in real-time operations, such as systems that provide input to an
operator for real-time operations or trigger automated real-time operations This lesson learned
document provides examples of approaches used by Implementation Study participants to identify
BES Cyber Assets.
Additional lessons learned are under development, and will be shared when finalized. A link to the
CIP Version 5 transition program lesson learned can also be accessed on the U.S. standards one-stop
shop, located on the standards left-hand navigation panel.
CIP V5 Evidence Request Spreadsheets Available
A component of performing a compliance audit is the gathering of evidence to support audit findings.
The Regions, as delegates of NERC, perform compliance audits and exercise a degree of
independence. Historically, this meant each Region issued a request for information prior to the audit
and the responsible entity provided the requested information.
In the course of developing the spreadsheets, the development team met with industry
representatives to create a better set of RSAWs. Part of the discussion centered on what types of
evidence would be requested to demonstrate compliance with the CIP V5 standards. Since the RSAWs
could not provide that level of detail, industry representatives sought more transparency from the
evidence requests that the regions send to responsible entities as part of the audit process.
Additionally, there was a request from industry representatives to standardize the evidence requests
across the ERO this was especially important to responsible entities operating in multiple Regions.
The CIP Version 5 (revised) evidence request is a common appeal for information that will be
available for use by all of the Regions. This document will assist the ERO to be more consistent and
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 20 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
transparent in its audit approach. It will also help responsible entities (especially those that operate
in multiple Regions) fulfill requests more efficiently by understanding what types of evidence are
useful in preparation for an audit.
Evidence request spreadsheets help to:
Create a standardized list of preliminary audit evidence required to perform a CIP V5 audit.
Provide an audit process for the ERO that will provide a consistent approach to the initial
request for information for CIP V5 audits.
Reduce or address regional differences in audit approach that will lead to different audit
evidence requests.
While it is voluntary for industry and Regional Entity auditors to use, the common request for
information helps the ERO be more consistent and transparent in its audit approach.
For more information, refer to the CIP V5 transition web page and CIP V5 evidence request user
guide.
Highlight on CIP V5 Program Resources
NERC updated the CIP V5 Curriculum document, which provides numerous resources from NERC
and the Regional Entities in three categories: 100 standard-specific training; 200 compliance and
enforcement considerations; and 300 lessons learned, guidance and FAQs. To view the curriculum,
click here.
FERC Orders
Order No. 822: Revised Critical Infrastructure Protection Reliability Standards
FERC issues a final rule adopting revisions to seven Critical Infrastructure Protection (CIP) Reliability
Standards, and also directs NERC to develop modifications and conduct a study. Click here to view
the order.
RM15-14-000: Letter Order Granting Extension of Time for Revised CIP V5
Reliability Standards
FERC issues a letter order granting an extension of time to defer the implementation of the CIP
Version 5 Reliability Standards from April 1, 2016 to July 1, 2016 to align with the effective date for
the revised CIP Reliability Standards approved in Order No. 822. Click here to view the order.
NERC Filings with FERC
RM15-14-000: Comments of NERC in Response to Trade Associations' Motion in the
Revised CIP Standards Proceeding
NERC submits comments in response to the motion for extension of time and request for shortened
comment period and expedited action of the Trade Associations in the revised Critical Infrastructure
Protection (CIP) Reliability Standards proceeding. Click here to view a copy of the filing.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 21 of 26
Volume VIII, Issue I: April, 2016
Encari Security Awareness Bulletin
Pending Legislation
H.R.4350 - To repeal the Cybersecurity Act of 2015
This bill repeals the Cybersecurity Act of 2015 and restores provisions amended by such Act as if it
had not been enacted. Latest Action: 02/03/2016 Referred to the Subcommittee on Crime,
Terrorism, Homeland Security, and Investigations. Click here for additional information.
S.2665 - State and Local Cyber Protection Act of 2016
To amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity
with the national cybersecurity and communications integration center. Latest Action: 03/10/2016
Read twice and referred to the Committee on Homeland Security and Governmental Affairs. Click
here for additional information.
H.R.4743 - National Cybersecurity Preparedness Consortium Act of 2016
To authorize the Secretary of Homeland Security to establish a National Cybersecurity Preparedness
Consortium. Latest Action: 03/18/2016 Referred to the Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies. Click here for additional information.
H.R.4860 - United States - Israel Cybersecurity Cooperation Act
To authorize the Secretary of Homeland Security to establish the United States Israel Cybersecurity
Center of Excellence. Latest Action: 03/23/2016 Referred to House Science, Space, and
Technology. Click here for additional information.
Upcoming Events
RF Spring Reliability Workshop
April 12-15, 2016; Lew Center, OH
NPCC Physical Security Information
Exchange
FRCC Spring Compliance Workshop
May 10, 2016; Cooperstown, NY
April 12-16, 2016; Tampa, FL
NERC Critical Infrastructure Protection
Standards Technical Conference
April 19, 2016; Atlanta, GA
Texas RE Spring 2016 Standards &
Compliance Workshop
April 20, 2016; Austin, TX
ICSJWG 2016 Spring Meeting
May 3-5, 2016; Scottsdale, AZ
NPCC Spring 2016 Compliance and
Standards Workshop
May 10-12, 2016; Cooperstown, NY
FRCC 2016 CIP Compliance Workshop
May 10-12, 2016; Tampa, FL
Texas RE Compliance Monitoring
Workshop
May 19, 2016; Austin, TX
SPP RE CIP Workshop
May 24-25, 2016; Little Rock, AR
Industrial Control Systems
Cybersecurity (301) Training
May 9-13, 2016, Idaho Falls, AZ
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 22 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
MRO Reliability Conference
Protection Systems
RF Fall Workshop
May 25, 2016; St. Paul, MN
September 27-30, 2016; Independence, OH
FERC Reliability Technical Conference
TRE Fall Standards & Compliance
Workshop
June 1, 2016; Washington, DC
October 13, 2016; Austin, TX
NERC 2016 Standards & Compliance
Workshop
July 12-15, 2016; St. Louis, MO
Texas RE Compliance 101 Workshop
July 20, 2016; Austin, TX
Black Hat USA 2016
July 30 August 4, 2016; Las Vegas, NV
SPP RE Fall Workshop
NERC GridSecCon 2016
October 17-21, 2016; Quebec, Canada
SERC Fall Compliance Seminar
October 19-19, 2016; Charlotte, NC
WECC CUG & CIPUG
October 25-27, 2016; TBD
FRCC Compliance Fall Workshop
November 8-10, 2016; Tampa, FL
September 20-21, 2016; Oklahoma City, OK
NPCC Compliance Workshop
MRO Security Conference
November 15-17, 2016; Newport, RI
September 27-28, 2016; St. Paul, MN
MRO CMEP Conference
SERC CIP Compliance Seminar
November 16, 2016; St. Paul, MN
September 27-18, 2016; Charlotte, NC
Looking for a Helpful Resource?
Encari s Website
Encari is currently undergoing a full redesign! Not only will it have a whole new look and feel, it will
also contain a plethora of new information for your reference. Check back in four to six weeks to
view our site updates and new content. To view Encari s current website, click here.
NERC CIP Compliance LinkedIn Group
Looking for a place to pose a general question or to help others with their questions? Try Encari s
NERC CIP Compliance LinkedIn group. The NERC CIP Compliance group, which is nearing 4,000
members, has been established to provide a forum within which all parties involved with the bulk
power system can collaborate in addressing all considerations pertaining to the NERC CIP
compliance life cycle.
Encari s Email Distribution List
Currently up to nearly 3,000 subscribers, Encari has established its email distribution list to provide
complimentary resources to all interested individuals in the electric utility industry )f you re
interested in being invited to Encari s complimentary Webinars receiving Encari s complimentary
quarterly NERC CIP security awareness bulletins (i.e., this and future bulletins), receiving
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 23 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
complimentary reference materials and receiving Webinar presentation materials, subscribe to
Encari s email distribution list today by sending your request to
NERC CIP Version 5 Indices
Encari has released comprehensive indices of topics related to the version five North American
Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cyber Security
Standards in order to assist utilities in understanding and complying with these important and
complex new cyber security requirements.
One of the indices is geared specifically towards assisting senior managers, per the CIP-002-5 R3
compliance requirement, navigate the version five standards while the other index may be used by
all others fulfilling various NERC CIP compliance management roles. You may access both versions
of the indices by visiting: NERC CIP Version 5 Indices.
Quarterly Security Awareness Resources
Encari believes it is extremely important to fulfill its role in contributing to the electric utility
industry. As such, Encari has been providing complimentary quarterly security awareness bulletins
addressing a wide variety of security awareness topics utilities municipalities and cooperatives
entire workforces should know. Encari has been providing these complimentary security awareness
resources since mid-2009.
Feel free to peruse our archives and download any security awareness materials, and / or download
any of our previous security awareness bulletins, by clicking here.
NERC CIP Compliance Webinars
In addition to quarterly security awareness bulletins, Encari has been providing complimentary
Webinars addressing diverse NERC CIP compliance considerations since 2008.
Feel free to peruse our archives and download any NERC CIP compliance presentation materials,
and or transcribed questions received during each Webinar along with Encari s official responses
by clicking here.
ICS-CERT Critical Infrastructure Feed Recently Published
The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks
within and across all critical infrastructure sectors by partnering with law enforcement agencies and
the intelligence community, and by coordinating efforts among Federal, state, local, and tribal
governments and control systems owners, operators, and vendors. Additionally, ICS-CERT
collaborates with international and private sector Computer Emergency Response Teams (CERTs) to
share control systems-related security incidents and mitigation measures. Recent alerts are
available at />
SCADA Security Survival Guide
While you need to register in order to access the contents of this survival guide, which is located at
it is worth it. This
particular article contains a collection of other articles that have been published by CSO addressing
the topics of SCADA security threats and mitigation strategies.
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 24 of 26
Encari Security Awareness Bulletin
Volume VIII, Issue I: April, 2016
ECT.COOP
This great cyber security reference, specifically for coops, is available at
p/tag/cyber-security.
Contribute Control Systems Security Articles to Future ICSJWG Quarterly Newsletters
Did you know ICSJWG welcomes contributions from the community pertaining to control systems
security for its ICSJWG Quarterly Newsletter? If you want to submit an article for the future
newsletters, email your information to and ICSJWG will take your submission
under consideration for publication.
RSS
RSS (Really Simple Syndication) feeds can be very helpful. These subscriptions will keep you and
your staff current on the latest news as it hits the web. Open source readers and aggregators are
readily available; search RSS Readers Subscribing to an RSS feed is a great way to remain current
on security issues and regulatory information. Below are some of our favorites:
Security System News
/>What s New at FERC?
/>FERC Technical Conferences
/>US-CERT Cybersecurity Bulletins
/>
Do you have a topic to include a future Encari Security Awareness Bulletin, feedback
or a question concerning any material contained in this bulletin? Contact us at
2016 Copyright, Encari, a division of PowerSecure, Inc. This Security Awareness Bulletin is provided as a complimentary service by Encari
to aid entities in complying with the NERC CIP Reliability Standards. Each entity remains responsible, however, for establishing that the
dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability
Standards.
Page 25 of 26
![oecd economic surveys [electronic resource] russian federation - volume 2006 issue 17.](https://media.store123doc.com/images/document/14/y/io/medium_ioa1401363244.jpg)
