Some more vulnerabilities come to light in SCADA systems:
A Valentine's Day present for SCADA companies: new exploit tools
article courtesy of Ars.
A few are now added to Metasploit (the extensible vulnerability exploit framework) which makes testing (and exploiting) easier.
More Siemens vulnerabilities have come to light. See the article at Ars for more info http://arstechnica.com/security/news/2011/08/serious-security-holes-found-in-siemens-control-systems-targeted-by-stuxnet.ars
Seems like good security basics on securing the perimeter and general environment are key per the pattern we put together a while back
Update 3rd October 2011
One of our contributors to OSA (thanks Herbert) has studied the Siemens S7 vulnerabilities mentioned. He comments that:
"for native communication via RFC 1006 (=TCP102) you don't need any authentication, so an S7 CPU should be always protected by defense in depth".
Please see http://www.us-cert.gov/control_systems/ for more details
We've added a few new icons to the 11_02 set for an upcoming pattern. We now have a Black Hat to represent a 'hacker' (I place it in quotes as the term originally meant computer user who hacked together code quickly to achieve a given objective, and has somewhat changed meaning in recent years).
The black hat took it's inspiration from the Mad Spy vs Spy comic, a firm favourite when I was younger, especially the rather good game on the C64 :-) We have also added an iPhone (or possibly Android) icon as this would appear to be a necessary staple of modern life to enable us to function...and we needed it for the new pattern Tobi is building.
As usual the icons have been added to the icon library as SVG and PNG, and are included into the icons packs
2 high impact outages for large service providers recently. Amazon cloud services which had knock on effects for a number of large companies relying on their cloud services. Sony which suffered a major security breach and which at the time of writing is still being cleaned up with unknown total impact on customers.
It made me think again about how the importance of security (Confidentiality, Integrity, and Availability) is increasing for society as we place more and more systems within the cloud in complex chains. This chimed given the original goals for starting OSA captured in this article.
See these articles on the BBC site for summaries:
Please find a short summary of recent changes on the Open Security Architecture website.
We have just finalised the DMZ pattern.
http://www.
This pattern is a standard module that will be reused within the pattern library.
There is a near final draft of the Board of Directors Room pattern.
http://www.
This pattern gives a solution for secure collaboration on highly sensitive materials such as financial reporting and board minutes.
There is an initial draft of Industrial Control Systems pattern.
http://www.
This pattern is a first in this area, and we are really please to have been able to collaborate with Industrial Control System experts to ensure that the quality is high for this first draft. If this is an area you have experience in we'd welcome comments.
A secure audit trails pattern is being started.
Mappings and Icons
You can now download the entire catalog and mappings as a database that can be imported into MySQL or any other DBMS of your choice.
More info here: http://www.
The icon packs and templates have been updated to add a couple of new icons and correct an SVG rendering bug under Chrome.
http://www.
http://www.
Outlook
We aim to add a PCI-DSS v2 mapping to the catalog shortly.
Do you have other ideas for the roadmap? Let us know at info at opensecurityarchitecture.org
All work from contributors is always credited to the originator.
We always appreciate feedback on progress, and further improvements you want to see.
If you think OSA could be useful for your contacts please pass on the word.
Best regards
The OSA core team