Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Vulnerability in EC-CUBE

Published: Apr 9, 2012
>> JAPANESE

In the wake of disclosure of several control system vulnerabilities, Information-technology Promotion Agency, Japan (IPA, Chairman Kazumasa Fujie) has decided to issue a security alert to warn control system operators.

Overview

In the past, control systems were believed relatively safe because they were not connected to external networks. However, the use of general-purpose products and standard protocols and the networked environment have spread in control systems and vulnerabilities in control systems have also been pointed out, cyber-attacks against control systems are beginning to become a reality.

URL:http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-01.pdf

If an attacker exploits those vulnerabilities in attacks, there is a possibility that he or she could maliciously operate the control systems. Association with the disclosed exploit codes is unclear, but there were some reports about system failure or abnormal behavior in control systems with disclosed vulnerabilities in other countries.

To prevent attacks exploiting known vulnerabilities, businesses that use control systems should check out the following items and pay close attention to the security information released by the control system vendors, and consider and take appropriate measures.

Security Measures for Control Systems

1. See if you use the control system products with the disclosed vulnerabilities that could be exploited by the exploit codes

According to the security alert from the U.S. ICS-CERT , exploit codes that could be used to attack six products of five Japanese, European or the U.S. vendors have been disclosed. See if you are in used of those products.

2. Analyzed the access routes from external networks (Especially if you do use the control system products checked out in 1)

If it is difficult to apply security patch, check out the network environment to see if there is any attack route used to attack control systems from the outside.

  • See if the control systems are accessible via the Internet to manage them.
  • See if the control systems are accessible from a PC within the organization痴 network.
  • See if network equipments, such as routers or hubs, brought in by employees are used.
  • See if external storage devices, such as USB memory stick, are usable.
  • See if the control systems are accessible via the Internet to manage them.
    (Also see if there is a policy when using an external storage device)

3. Consider and take countermeasures (In case any items in 2 apply)

If your business operation requires any situations listed in 2, consult with the vendor and take countermeasures like the following.

  • Block unauthorized access on the communication paths
  • Encrypt data on the communication paths, and limit and authenticate the source of the request
  • Apply security patch to the information systems (servers and PCs) timely
  • Consider application of security patch when one is provided by the vendor
  • Consider a total countermeasure that will cover both information systems and control systems

System Architecture of Control System and Possibility of Connection to External Networks

Since control systems can be connected to the outside world via a USB memory stick or networks, the necessity of considering the security measures that assume that the control systems may be attacked remotely is increasing.

Security Alert for Vulnerability in OpenPNE

(Appendix)
Effort on Control System Security, Documents and Tools

Based on the understanding that the importance of vulnerability countermeasures and security measures for control systems and embedded systems is increasing, IPA has been working on research and development of guidelines since 2008. Under such circumstances, Stuxnet, a malware said to have found a way into an Iranian nuclear power plant and caused malfunction, was discovered in 2010, and threats to control systems became a reality, making response to the situation imperative. Below, IPA痴 effort toward control system security, documents and tools are introduced.

(1)Reports on Trend in Control System Information Security

Based on today痴 circumstance where openness of control systems (the used of general-purpose protocols and standard protocols) has brought on cyber-attacks against control systems, IPA conducts yearly research and issues reports on the current situation of control system security. (References)

Topics in 2010 Report

  • 1)The current situation of control system security
  • 2)Effort toward vulnerability reduction in control systems
  • 3)Trend in smart meter control systems

Report on Control System Information Security 2010
URL: http://www.ipa.go.jp/security/fy22/reports/ics_sec/index.html (Japanese)

Topics in 2009 Report

  • 1)The current situation of development and utilization of guides and tools for vulnerability reduction
  • 2)Methods to evaluate and verify control system vulnerability
  • 3)Trend in control system security incident database
  • 4)Environment surrounding authentication for control systems

Report on Promotion Measures for Control System Security
URL: http://www.ipa.go.jp/security/fy21/reports/ics_sec/index.html (Japanese)

(2) SCADA Security Good Practices for the Drinking Water Sector

To promote enhancement of SCADA security in the drinking water sector, IPA translated a research report developed by the government of Netherlands and TNO Defense, Security and Safety. The report includes a checklist of thirty-nine measures (good practices) that could measure the current status of your organization痴 security level. The checklist has been developed based on the successful security measures taken in the drinking water sector, but is applicable for other critical infrastructures, such as gas and electric industry.

Report on Promotion Measures for Control System Security
URL: URL: http://www.ipa.go.jp/security/fy22/reports/ics_sec/index.html (Japanese)
URL: http://www.tno.nl/downloads/TNO-DV%202008%20C096_web.pdf (English)

(3) JVN iPedia - Vulnerability Countermeasure Information Database

JVN iPedia, a vulnerability countermeasure information database, was launched on April 25, 2007, to enable IT users to easily obtain vulnerability-related information by collecting vulnerability countermeasure information on software and products used in Japan. It also covers the vulnerability information about control systems released on NVD . You can obtain the information by typing 的CSA� and such as a search keyword in JVN iPedia.

Countermeasure information is collected from the following sources and translated as needed.

  • 1)Vulnerability countermeasure information released by Japanese software developers
  • 2)Vulnerability countermeasure information released on JVN , a web portal for vulnerability countermeasure information
  • 3)Vulnerability countermeasure information released on NVD, a vulnerability countermeasure database operated by NIST (National Institute of Standard Technology)
    URL: http://jvndb.jvn.jp/ (Japanese)
    URL: http://jvndb.jvn.jp/en/ (English)
(References) Change in Number of Control System Vulnerability Countermeasure Information

Security Alert for Vulnerability in OpenPNE

(4) Task Force for Control System Security

As a response to the intermediate report from the Study Group for Cybersecurity and Economics , Ministry of Economy, Trade and Industry established the Task Force for Control System Security on October 28, 2011 . Under the task force, the Steering Committee, Standardization WG, Evaluation and Accreditation WG, Incident Handling WG, Testbed WG, Human Resource Development WG, and Dissemination and Awareness Raising WG are at work. IPA supervises the Standardization WG and Evaluation and Accreditation WG. With the Standardization WG, IPA promotes research and utilization of international and industry standards and makes recommendation. With the Evaluation and Accreditation WG, IPA promotes adoption of the evaluation and accreditation schemes preceded in Europe and the U.S. to Japanese industries, and establishment of a scheme for international recognition.

(5) Provision of Information and Security Self-Assessment Tool to Those involved with Control Systems

JPCERT/CC (JPCERT Coordination Center) has been providing a security self-assessment tool for those involved with control systems since February 2011. It allows picking up security issues concerning development and operation of a control system and supports to consider security measures against those issues. The tool is under rework to be updated to the next version. Other works involve in sharing the information collected by JPCERT/CC through a community for those involved with control systems or promoting control system security.

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: