Essential NERC CIP Security Awareness Bulletin 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities.Essential NERC CIP Security Awareness Bulletin 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities.
Essential NERC CIP Security Awareness Bulletin Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Table of Contents Threats, Vulnerabilities and Incidents Cisco Security Advisory (cisco-sa-20160330-fp): Cisco Firepower Malware Block Bypass Vulnerability US-CERT Alert (TA16-091A): Ransomware and Recent Variants ICS-CERT Alert (IR-ALERT-H-16-056-01): Cyber-Attack Against Ukrainian Critical Infrastructure ICS-CERT Advisory (ICSA-16-084-01): Cogent DataHub Elevation of Privilege Vulnerability ICS-CERT Advisory (ICSA-16-082-01): Siemens APOGEE Insight Incorrect File Permissions Vulnerability ICS-CERT Advisory (ICSA-16-077-01A): ABB Panel Builder 800 DLL Hijacking Vulnerability (Update A) ICS-CERT Advisory (ICSA-16-075-01): Siemens SIMATIC S7-1200 CPU Protection Mechanism Failure ICS-CERT Advisory (ICSA-16-070-01): Schneider Electric Telvent RTU Improper Ethernet Frame Padding Vulnerability ICS-CERT Advisory (Advisory (ICSA-16-063-01): Moxa ioLogik E2200 Series Weak Authentication Practices 10 ICS-CERT Advisory (Advisory (ICSA-16-061-01): Schneider Electric Building Operation Automation Server Vulnerability 10 ICS-CERT Advisory (Advisory (ICSA-16-061-02): Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability 10 ICS-CERT Advisory (ICSA-16-049-01): B+B SmartWorx VESP211 Authentication Bypass Vulnerability 10 ICS-CERT Advisory (ICSA-16-049-02): AMX Multiple Products Credential Management Vulnerabilities 10 ICS-CERT Advisory (ICSA-16-040-01): Tollgrade SmartGrid Sensor Management System Software Vulnerabilities 11 ICS-CERT Advisory (ICSA-16-040-02): Siemens SIMATIC S7-1500 CPU Vulnerabilities 11 ICS-CERT Advisory (Advisory (ICSA-16-033-01): Sauter moduWeb Vision Vulnerabilities 11 ICS-CERT Advisory (ICSA-16-033-02): GE SNMP/Web Interface Vulnerabilities 11 ICS-CERT Advisory (ICSA-16-028-01): Westermo Industrial Switch Hard-coded Certificate Vulnerability 11 ICS-CERT Advisory (ICSA-16-026-01): MICROSYS PROMOTIC Memory Corruption Vulnerability 11 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 ICS-CERT Advisory (Advisory (ICSA-16-021-01): CAREL PlantVisor Enhanced Authentication Bypass Vulnerability 11 ICS-CERT Advisory (ICSA-15-337-02): Hospira Multiple Products Buffer Overflow Vulnerability 12 ICS-CERT Advisory (ICSA-16-019-01): Siemens OZW672 and OZW772 XSS Vulnerability 12 ICS-CERT Advisory (ICSA-16-014-01): Advantech WebAccess Vulnerabilities 12 ICS-CERT Advisory (ICSA-15-356-01): Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities 12 ICS-CERT Advisory (ICSA-15-351-01): Schneider Electric Modicon M340 Buffer Overflow Vulnerability 12 ICS-CERT Advisory (ICSA-15-351-02): Motorola MOSCAD SCADA IP Gateway Vulnerabilities 13 ICS-CERT Advisory (ICSA-15-351-03): eWON Vulnerabilities 13 ICS-CERT Advisory (ICSA-15-349-01): Adcon Telemetry A840 Vulnerabilities 13 ICS-CERT Advisory (ICSA-15-344-01B): Advantech EKI Vulnerabilities (Update B) 13 Vulnerability Note (VU# 732760): Autodesk Backburner Manager contains a stack-based buffer overflow vulnerability 13 Vulnerability Note (VU# 319816): npm fails to restrict the actions of malicious npm package 13 Vulnerability Note (VU# 27947): Granite Data Services AMF framework fails to properly parse XML input containing a reference to external entities 14 Vulnerability Note (VU# 897144): Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow 14 Vulnerability Note (VU# 713312): DTE Energy Insight app vulnerable to information exposure 14 Vulnerability Note (VU# 270232): Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability 14 Vulnerability Note (VU# 583776): Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack 14 Vulnerability Note (VU# 938151): Forwarding Loop Attacks in Content Delivery Networks may result in denial of service 14 Vulnerability Note (VU# 419128): IKE/IKEv2 protocol implementations may allow network amplification attacks 15 Vulnerability Note (VU# 444472): QNAP Signage Station and iArtist Lite contain multiple vulnerabilities 15 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Vulnerability Note (VU# 981271): Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol 15 Vulnerability Note (VU# 485744): Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability 15 Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials 15 Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials 15 Vulnerability Note (VU# 923388): Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password 15 Vulnerability Note (VU# 457759): glibc vulnerable to stack buffer overflow in DNS resolver 15 Vulnerability Note (VU# 507216): Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default 15 Vulnerability Note (VU# 327976): Cisco Adaptive Security Appliance (ASA) IKEv1 and IKEv2 contains a buffer overflow vulnerability 16 Vulnerability Note (VU# 305096): Comodo Chromodo browser with Ad Sanitizer does not enforce same origin policy and is based on an outdated version of Chromium 16 Vulnerability Note (VU# 777024): Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities 16 Vulnerability Note (VU#544527): OpenELEC and RasPlex have a hard-coded SSH root password 16 Vulnerability Note (VU# 972224): Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries 16 Vulnerability Note (VU# 257823): OpenSSL re-uses unsafe prime numbers in DiffieHellman protocol 16 Vulnerability Note (VU# 992624): Harman AMX multimedia devices contain hard-coded credentials 16 Vulnerability Note (VU# 916896): Oracle Outside In 8.5.2 contains multiple stack buffer overflows 16 Vulnerability Note (VU# 772447): ffmpeg and Libav cross-domain information disclosure vulnerability 17 Vulnerability Note (VU# 456088): OpenSSH Client contains a client information leak vulnerability and buffer overflow 17 Vulnerability Note (VU# 753264): IPSwitch WhatsUp Gold does not validate commands when deserializing XML objects 17 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Vulnerability Note (VU# 820196): Furuno Voyage Data Recorder (VDR) moduleserv firmware update utility fails to properly sanitize user-provided input 17 Security Publications, Tips, Tools and Solutions 17 NISTIR 8055: Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research 17 NISTIR 8054: NSTIC Pilots: Catalyzing the Identity Ecosystem 17 NISTIR 7511 Rev 4: Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements 18 NIST Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption 18 NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems Organizations 18 NIST Special Publication 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection 19 NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification 19 NIST Special Publication 800-57 Part Rev 4: Recommendation for Key Management, Part 1: General 19 ICS-CERT Releases CSET 7.1 19 ICS-CERT Fact Sheets 19 NERC Compliance Tools and Resources 20 Final Lesson Learned Posted 20 CIP V5 Evidence Request Spreadsheets Available 20 Highlight on CIP V5 Program Resources 21 FERC Orders 21 Order No 822: Revised Critical Infrastructure Protection Reliability Standards 21 RM15-14-000: Letter Order Granting Extension of Time for Revised CIP V5 Reliability Standards 21 NERC Filings with FERC 21 RM15-14-000: Comments of NERC in Response to Trade Associations' Motion in the Revised CIP Standards Proceeding 21 Pending Legislation 22 H.R.4350 - To repeal the Cybersecurity Act of 2015 22 S.2665 - State and Local Cyber Protection Act of 2016 22 H.R.4743 - National Cybersecurity Preparedness Consortium Act of 2016 22 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 H.R.4860 - United States - Israel Cybersecurity Cooperation Act 22 Upcoming Events 22 FRCC Spring Compliance Workshop 22 Texas RE Spring 2016 Standards & Compliance Workshop 22 ICSJWG 2016 Spring Meeting 22 Industrial Control Systems Cybersecurity (301) Training 22 FRCC 2016 CIP Compliance Workshop 22 SPP RE CIP Workshop 22 MRO Reliability Conference Protection Systems 23 FERC Reliability Technical Conference 23 NERC 2016 Standards & Compliance Workshop 23 Texas RE Compliance 101 Workshop 23 MRO Security Conference 23 SERC CIP Compliance Seminar 23 RF Fall Workshop 23 TRE Fall Standards & Compliance Workshop 23 NERC GridSecCon 2016 23 SERC Fall Compliance Seminar 23 WECC CUG & CIPUG 23 FRCC Compliance Fall Workshop 23 NPCC Compliance Workshop 23 MRO CMEP Conference 23 Looking for a Helpful Resource? 23 Encari s Website 23 NERC CIP Compliance LinkedIn Group 23 Encari s Email Distribution List 23 NERC CIP Version Indices 24 Quarterly Security Awareness Resources 24 NERC CIP Compliance Webinars 24 ICS-CERT Critical Infrastructure Feed Recently Published 24 SCADA Security Survival Guide 24 ECT.COOP 25 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Contribute Control Systems Security Articles to Future ICSJWG Quarterly Newsletters 25 RSS 25 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Threats, Vulnerabilities and Incidents Cisco Security Advisory (cisco-sa-20160330-fp): Cisco Firepower Malware Block Bypass Vulnerability A vulnerability in the malicious file detection and blocking features of Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system The vulnerability is due to improper input validation of fields in HTTP headers An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system A successful exploit could allow the attacker to bypass malicious file detection or blocking policies that are configured for the system, which could allow malware to pass through the system undetected Cisco has released software updates that address this vulnerability There are no workarounds that address this vulnerability For additional details and mitigation, click here US-CERT Alert (TA16-091A): Ransomware and Recent Variants In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide Ransomware is a type of malicious software that infects a computer and restricts users access to it until a ransom is paid to unlock it The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware For additional details and mitigation, click here ICS-CERT Alert (IR-ALERT-H-16-056-01): Cyber-Attack Against Ukrainian Critical Infrastructure On December 23, 2015, Ukrainian power companies experienced unscheduled power outages impacting a large number of customers in Ukraine In addition, there have also been reports of malware found in Ukrainian companies in a variety of critical infrastructure sectors Public reports indicate that the BlackEnergy BE malware was discovered on the companies computer networks however it is important to note that the role of BE in this event remains unknown pending further technical analysis An interagency team comprised of representatives from the National Cybersecurity and Communications Integration Center (NCCIC)/Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), U.S Computer Emergency Readiness Team (US-CERT), Department of Energy, Federal Bureau of Investigation, and the North American Electric Reliability Corporation traveled to Ukraine to collaborate and gain more insight The Ukrainian government worked closely and openly with the U.S team and shared information to help prevent future cyber-attacks This report provides an account of the events that took place based on interviews with company personnel This report is being shared for situational awareness and network defense purposes ICSCERT strongly encourages organizations across all sectors to review and employ the mitigation strategies listed below 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Volume VIII, Issue I: April, 2016 Encari Security Awareness Bulletin Additional information on this incident including technical indicators can be found in the TLP GREEN alert (IR-ALERT-H-16-043-01P and subsequent updates) that was released to the US-CERT secure portal US critical infrastructure asset owners and operators can request access to this information by emailing ics-cert@hq.dhs.gov For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-084-01): Vulnerability Cogent DataHub Elevation of Privilege Steven Seeley of Source Incite has identified a privilege elevation vulnerability in the Cogent DataHub application produced by Cogent Real-Time Systems, Inc Cogent has produced a new version to mitigate this vulnerability Steven Seeley has tested the new version to validate that it resolves the vulnerability For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-082-01): Permissions Vulnerability Siemens APOGEE Insight Incorrect File Siemens has identified an incorrect file permissions vulnerability in APOGEE Insight Network & Information Security Ltd Company and HuNan Quality Inspection Institute reported this issue directly to Siemens Siemens has provided workaround instructions to mitigate this vulnerability For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-077-01A): Vulnerability (Update A) ABB Panel Builder 800 DLL Hijacking This updated advisory is a follow-up to the original advisory titled ICSA-16-077-01 ABB Panel Builder 800 DLL Hijacking Vulnerability that was published March 17, 2016, on the NCCIC/ICS-CERT web site Ivan Sanchez from Nullcode Team has identified a DLL Hijacking vulnerability in the ABB Panel Builder 800 Version 5.1 application Panel Builder Version 6.0 is not affected by this vulnerability For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-075-01): Siemens SIMATIC S7-1200 CPU Protection Mechanism Failure Siemens has identified a protection mechanism failure vulnerability in old firmware versions of SIMATIC S7-1200 Maik Brüggemann and Ralf Spenneberg from Open Source Training reported this issue directly to Siemens Siemens provides SIMATIC S7-1200 CPU product, release V4.0 or newer, to mitigate this vulnerability and recommends keeping the firmware up to date This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-070-01): Ethernet Frame Padding Vulnerability Schneider Electric Telvent RTU Improper David Formby and Raheem Beyah of Georgia Tech have identified a vulnerability caused by an Institute of Electrical and Electronics Engineers (IEEE) conformance issue involving improper frame padding in Schneider Electric s Telvent SAGE and remote terminal units RTUs Schneider Electric has already released a revision that eliminates this vulnerability This advisory serves as a notification of a new vulnerability in the previous software version The researchers have 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page of 26 Volume VIII, Issue I: April, 2016 Encari Security Awareness Bulletin tested the revision to validate that it resolves the reported vulnerability For additional details and mitigation, click here ICS-CERT Advisory (Advisory (ICSA-16-063-01): Moxa ioLogik E2200 Series Weak Authentication Practices This advisory is a follow-up to the alert titled ICS-ALERT-15-224-04 Moxa ioLogik E2210 Vulnerabilitiesa that was published August 12, 2015, on the NCCIC/ICS-CERT web site Independent researcher Aditya Sood reported weak authentication vulnerabilities in Moxa ioLogik E2200 Ethernet Micro RTU controllers Moxa has produced a network security enhancement to mitigate these vulnerabilities These vulnerabilities could be exploited remotely Exploits that target these vulnerabilities are publicly available For additional details and mitigation, click here ICS-CERT Advisory (Advisory (ICSA-16-061-01): Operation Automation Server Vulnerability Schneider Electric Building Independent researcher Karn Ganeshen has identified a vulnerability in servers programmed with Schneider Electric s StruxureWare Building Operation software Schneider Electric has produced a new version to mitigate this vulnerability This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (Advisory (ICSA-16-061-02): Rockwell Automation Allen-Bradley CompactLogix Reflective Cross-Site Scripting Vulnerability This advisory is a follow-up to the alert titled ICS-ALERT-15-225-01A Rockwell Automation 1766L32 Series Vulnerability that was published August 13, 2015, on the NCCIC/ICS-CERT web site Independent researcher Aditya Sood has identified a cross-site scripting vulnerability in Rockwell Automation s CompactLogix controller This vulnerability has been publicly disclosed Rockwell Automation has produced a new firmware version to mitigate this vulnerability This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-049-01): Bypass Vulnerability B+B SmartWorx VESP211 Authentication Independent researcher Maxim Rupp has identified an authentication bypass vulnerability in B+B SmartWorx s VESP serial servers B B SmartWorx has produced an implementation plan to mitigate this vulnerability This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-049-02): AMX Multiple Products Credential Management Vulnerabilities NCCIC/ICS-CERT has become aware of public reporting of credential management vulnerabilities in multiple Harman AMX multimedia devices AMX has confirmed the existence of hard-coded passwords in multiple products AMX has produced patches and new product versions to mitigate one of the vulnerabilities in the affected products AMX is working to release new product versions to mitigate the remaining credential management vulnerability in their affected products These vulnerabilities could be exploited remotely Exploits that target these vulnerabilities are known to be publicly available For additional details and mitigation, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 10 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 product PlantVisorEnhanced and is no longer supported This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-337-02): Hospira Multiple Products Buffer Overflow Vulnerability This advisory was originally posted to the US-CERT secure Portal library on December 3, 2015, and is being released to the NCCIC/ICS-CERT web site Jeremy Richards of SA)NT Corporation has identified a buffer overflow vulnerability in (ospira s LifeCare PCA Infusion System Hospira has determined that LifeCare PCA Infusion Systems released prior to July 2009 that are running Communication Engine (CE) Version 1.0 or earlier are vulnerable )n response to Jeremy Richards reported vulnerability (ospira has assessed other products and determined that Plum A+/A+3 Infusion Systems, released prior to March 2009 and running CE Version 1.0 or earlier versions, also contain the identified vulnerability Hospira has confirmed that LifeCare PCA and Plum A+/A+3 Infusion Systems, running CE Version 1.2 or later versions, sold after the aforementioned dates, are not vulnerable This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-019-01): Vulnerability Siemens OZW672 and OZW772 XSS Independent researcher Aditya Sood has identified a cross-site scripting vulnerability in Siemens OZW672 and OZW772 devices Siemens has produced a firmware update to mitigate this vulnerability This vulnerability could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-16-014-01): Advantech WebAccess Vulnerabilities Ilya Karpov of Positive Technologies, Ivan Sanchez, Andrea Micalizzi, Ariele Caltabiano, Fritz Sands, Steven Seeley, and an anonymous researcher have identified multiple vulnerabilities in Advantech WebAccess application Many of these vulnerabilities were reported through the Zero Day Initiative (ZDI) and iDefense Advantech has produced a new version to mitigate these vulnerabilities Ivan Sanchez has tested the new version to validate that it resolves the vulnerabilities which he reported These vulnerabilities could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-356-01): Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities Siemens has reported to NCCIC/ICS-CERT that NTP daemon vulnerabilities exist in the Siemens RUGGEDCOM ROX-based devices Siemens has produced firmware updates to mitigate these vulnerabilities These vulnerabilities could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-351-01): Overflow Vulnerability Schneider Electric Modicon M340 Buffer David Atch of CyberX has identified a buffer overflow vulnerability in Schneider Electric s Modicon M340 PLC product line Schneider Electric has produced a new firmware patch to mitigate this vulnerability This vulnerability could be exploited remotely For additional details and mitigation, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 12 of 26 Volume VIII, Issue I: April, 2016 Encari Security Awareness Bulletin ICS-CERT Advisory (ICSA-15-351-02): Vulnerabilities Motorola MOSCAD SCADA IP Gateway Independent researcher Aditya K Sood has identified Remote File Inclusion (RFI) and Cross-Site Request Forgery (CSRF) vulnerabilities in Motorola Solutions MOSCAD )P Gateway Motorola Solutions has confirmed this product was cancelled at the end of 2012 and no longer offer software updates These vulnerabilities could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-351-03): eWON Vulnerabilities Independent researcher Karn Ganeshen has identified several vulnerabilities in the eWON sa industrial router eWON sa has produced an updated firmware to mitigate these vulnerabilities These vulnerabilities could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-349-01): Adcon Telemetry A840 Vulnerabilities )ndependent researcher Aditya K Sood has identified vulnerabilities in Adcon Telemetry s A Telemetry Gateway Base Station Adcon Telemetry has stated that the A840 is an obsolete product and is no longer supported No patches or updates will be created for this product Adcon Telemetry sent a message to all known customers to offer to upgrade to a more secure and stable version These vulnerabilities could be exploited remotely For additional details and mitigation, click here ICS-CERT Advisory (ICSA-15-344-01B): Advantech EKI Vulnerabilities (Update B) This updated advisory is a follow-up to the updated advisory titled ICSA-15-344-01A Advantech EKI Vulnerabilities that was published December 15, 2015, on the NCCIC/ICS-CERT web site (D Moore of Rapid identified several vulnerabilities in Advantech s EK) Advantech has released updated firmware to mitigate these vulnerabilities These vulnerabilities could be exploited remotely Exploits that target these vulnerabilities are known to be publicly For additional details and mitigation, click here Vulnerability Note (VU# 732760): Autodesk Backburner Manager contains a stack-based buffer overflow vulnerability Autodesk Backburner 2016, version 2016.0.0.2150 and earlier, fails to properly check the length of command input which may be leveraged to create a denial of service condition or to execute arbitrary code For detailed description, impact and solution, click here Vulnerability Note (VU# 319816): npm fails to restrict the actions of malicious npm package npm allows packages to take actions that could result in a malicious npm package author to create a worm that spreads across the majority of the npm ecosystem For detailed description, impact and solution, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 13 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Vulnerability Note (VU# 27947): Granite Data Services AMF framework fails to properly parse XML input containing a reference to external entities Granite Data Services version 3.1.1-SNAPSHOT AMF framework is vulnerable to XML external entity (XXE) attack that may be leveraged to expose sensitive data on the host For detailed description, impact and solution, click here Vulnerability Note (VU# 897144): Solarwinds Dameware Remote Mini Controller Windows service is vulnerable to stack buffer overflow Solarwinds Dameware Remote Mini Controller is a software for assisting in remote desktop connections for helpdesk support According to the reporter, the Solarwinds Dameware Remote Mini Controller Windows service, dwrcs.exe, is vulnerable to stack-based buffer overflow A remote attacker sending carefully crafted data may be able to obtain private information or execute code The researcher has published an advisory with more information The CERT/CC has not been able to confirm this information with the vendor For detailed description, impact and solution, click here Vulnerability Note (VU# 713312): DTE Energy Insight app vulnerable to information exposure The DTE Energy Insight app lets DTE Energy customers track their energy usage This information is exposed via an HTTP REST API The API contains a parameter 'filter' that may be manipulated by an authenticated user This parameter determines the customer data to be returned by the server By manipulating the 'filter' parameter, an authorized user may be able to obtain and query limited customer information for other users For detailed description, impact and solution, click here Vulnerability Note (VU# 270232): Quagga bgpd with BGP peers enabled for VPNv4 contains a buffer overflow vulnerability Quagga is a software routing suite that implements numerous routing protocols for Unix-based platforms A memcpy function in the VPNv4 NLRI parser of bgp_mplsvpn.c does not properly check the upper-bound length of received Labeled-VPN SAFI routes data, which may allow for arbitrary code execution on the stack Note that hosts are only vulnerable if bgpd is running with BGP peers enabled for VPNv4, which is not a default configuration For more details, refer to the Quagga changelog and commit notes For detailed description, impact and solution, click here Vulnerability Note (VU# 583776): Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected This is known as the "DROWN" attack in the media For detailed description, impact and solution, click here Vulnerability Note (VU# 938151): Forwarding Loop Attacks in Content Delivery Networks may result in denial of service Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network For detailed description, impact and solution, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 14 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Vulnerability Note (VU# 419128): IKE/IKEv2 protocol implementations may allow network amplification attacks Implementations of the IKEv2 protocol are vulnerable to network amplification attacks For detailed description, impact and solution, click here Vulnerability Note (VU# 444472): QNAP Signage Station and iArtist Lite contain multiple vulnerabilities The QNAP Signage Station prior to version 2.0.1 and the accompanying iArtist Lite application contain multiple vulnerabilities For detailed description, impact and solution, click here Vulnerability Note (VU# 981271): Multiple wireless keyboard/mouse devices use an unsafe proprietary wireless protocol Wireless keyboard and mouse devices from multiple vendors use proprietary wireless protocols that are not properly secured For detailed description, impact and solution, click here Vulnerability Note (VU# 485744): Flexera Software FlexNet Publisher lmgrd contains a buffer overflow vulnerability Flexera Software FlexNet Publisher, version 11.13.1.0 and earlier, lmgrd and custom vendor daemon servers contain a buffer overflow vulnerability that may be leveraged to gain code execution For detailed description, impact and solution, click here Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password For detailed description, impact and solution, click here Vulnerability Note (VU# 899080): Zhuhai Raysharp firmware for DVRs from multiple vendors contains hard-coded credentials Digital Video Recorders (DVRs), security cameras, and possibly other devices from multiple vendors use a firmware derived from Zhuhai RaySharp that contains a hard-coded root password For detailed description, impact and solution, click here Vulnerability Note (VU# 923388): Swann SRNVW-470 allows unauthorized access to video stream and contains a hard-coded password Swann network video recorder (NVR) devices contain a hard-coded password and not require authentication to view the video feed when accessing from specific URLs For detailed description, impact and solution, click here Vulnerability Note (VU# 457759): glibc vulnerable to stack buffer overflow in DNS resolver GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code For detailed description, impact and solution, click here Vulnerability Note (VU# 507216): Hirschmann "Classic Platform" switches reveal administrator password in SNMP community string by default Hirschmann "Classic Platform" switches contain a password sync feature that syncs the switch administrator password with the SNMP community password, exposing the administrator password to attackers on the local network For detailed description, impact and solution, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 15 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Vulnerability Note (VU# 327976): Cisco Adaptive Security Appliance (ASA) IKEv1 and IKEv2 contains a buffer overflow vulnerability Cisco Adaptive Security Appliance (ASA) Internet Key Exchange versions and (IKEv1 and IKEv2) contains a buffer overflow vulnerability that may be leveraged to gain remote code execution For detailed description, impact and solution, click here Vulnerability Note (VU# 305096): Comodo Chromodo browser with Ad Sanitizer does not enforce same origin policy and is based on an outdated version of Chromium Comodo Chromodo browser, version 45.8.12.391, and possibly earlier, bundles the Ad Sanitizer extension, version 1.4.0.26, which disables the same origin policy, allowing for the possibility of cross-domain attacks by malicious or compromised web hosts Chromodo is based on an outdated release of Chromium with known vulnerabilities For detailed description, impact and solution, click here Vulnerability Note (VU# 777024): Netgear Management System NMS300 contains arbitrary file upload and path traversal vulnerabilities Netgear Management System NMS300, version 1.5.0.11 and earlier, is vulnerable to arbitrary file upload, which may be leveraged by unauthenticated users to execute arbitrary code with SYSTEM privileges A directory traversal vulnerability enables authenticated users to download arbitrary files For detailed description, impact and solution, click here Vulnerability Note (VU#544527): OpenELEC and RasPlex have a hard-coded SSH root password OpenELEC and derivatives utilize a hard-coded default root password, and enable SSH root access by default For detailed description, impact and solution, click here Vulnerability Note (VU# 972224): Huawei Mobile WiFi E5151 and E5186 routers use insufficiently random values for DNS queries Huawei Mobile WiFi E5151, firmware version 21.141.13.00.1080, and E5186, firmware version V200R001B306D01C00, use insufficiently random values for DNS queries and are vulnerable to DNS spoofing attacks For detailed description, impact and solution, click here Vulnerability Note (VU# 257823): OpenSSL re-uses unsafe prime numbers in Diffie-Hellman protocol OpenSSL may generate unsafe primes for use in the Diffie-Hellman protocol, which may lead to disclosure of enough information for an attacker to recover the private encryption key For detailed description, impact and solution, click here Vulnerability Note (VU# 992624): Harman AMX multimedia devices contain hard-coded credentials Multiple models of Harman AMX multimedia devices contain a hard-coded debug account For detailed description, impact and solution, click here Vulnerability Note (VU# 916896): Oracle Outside In 8.5.2 contains multiple stack buffer overflows Oracle Outside In versions 8.5.2 and earlier contain stack buffer overflow vulnerabilities in the parsers for WK4, Doc, and Paradox DB files, which can allow a remote, unauthenticated attacker to 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 16 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 execute arbitrary code on a vulnerable system For detailed description, impact and solution, click here Vulnerability Note (VU# 772447): ffmpeg and Libav cross-domain information disclosure vulnerability ffmpeg and Libav cross-domain information disclosure vulnerability For detailed description, impact and solution, click here Vulnerability Note (VU# 456088): OpenSSH Client contains a client information leak vulnerability and buffer overflow OpenSSH client code versions 5.4 through 7.1p1 contains a client information leak vulnerability that could allow an OpenSSH client to leak information not limited to but including private keys, as well as a buffer overflow in certain non-default configurations For detailed description, impact and solution, click here Vulnerability Note (VU# 753264): IPSwitch WhatsUp Gold does not validate commands when deserializing XML objects IPSwitch WhatsUp Gold version 16.3 does not properly validate data when deserializing XML objects sent over SOAP requests For detailed description, impact and solution, click here Vulnerability Note (VU# 820196): Furuno Voyage Data Recorder (VDR) moduleserv firmware update utility fails to properly sanitize user-provided input Furuno Voyage Data Recorder (VDR) VR-3000/VR-3000S and VR-7000 moduleserv firmware update utility fails to properly sanitize user-provided input and is vulnerable to arbitrary command execution with root privileges For detailed description, impact and solution, click here Security Publications, Tips, Tools and Solutions NISTIR 8055: Derived Personal Identity Verification (PIV) Credentials (DPC) Proof of Concept Research This report documents proof of concept research for Derived Personal Identity Verification (PIV) Credentials Smart card-based PIV Cards cannot be readily used with most mobile devices, such as smartphones and tablets, but Derived PIV Credentials (DPCs) can be used instead to PIV-enable these devices and provide multi-factor authentication for mobile device users This report captures existing requirements related to DPCs, proposes an architecture that supports these requirements, and then demonstrates how such an architecture could be implemented and operated To review the document, click here NISTIR 8054: NSTIC Pilots: Catalyzing the Identity Ecosystem Pilots are an integral part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), issued by the White House in 2011 to encourage enhanced security, privacy, interoperability, and ease of use for online transactions This document details summaries and outcomes of NSTIC pilots; in addition it explores common themes in the pilots work developing and operating innovative identity solutions To review the document, click here 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 17 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 NISTIR 7511 Rev 4: Security Content Automation Protocol (SCAP) Version 1.2 Validation Program Test Requirements This report defines the requirements and associated test procedures necessary for products or modules to achieve one or more Security Content Automation Protocol (SCAP) validations Validation is awarded based on a defined set of SCAP capabilities by independent laboratories that have been accredited for SCAP testing by the NIST National Voluntary Laboratory Accreditation Program (NVLAP) To review the document, click here NIST Special Publication 800-38G: Recommendation for Block Cipher Modes of Operation: Methods for Format-Preserving Encryption This publication specifies and approves the FF1 and FF3 encryption modes of operation of the AES algorithm The previously approved encryption modes are not designed for non-binary data such as Social Security numbers (SSNs); in particular, the decimal representation of an encrypted SSN might consist of more than nine digits, so it would not look like an SSN By contrast, format-preserving encryption (FPE) methods such as FF1 and FF3 are designed for data that is not necessarily binary In particular, given any finite set of symbols, like the decimal numerals, a method for FPE transforms data that is formatted as a sequence of the symbols in such a way that the encrypted form of the data has the same format, including the length, as the original data Thus, an FPE-encrypted SSN would be a sequence of nine decimal digits FPE modes facilitate the retrofitting of encryption technology to existing devices or software, where a conventional encryption mode might not be feasible In particular, database applications may not support changes to the length or format of data fields More generally FPE can support the sanitization of databases i e the targeting of encryption to personally identifiable information (PII), such as SSNs The encrypted SSNs could still serve as an index to facilitate statistical research, perhaps across multiple databases An important caveat to this application of FPE is that re-identification is sometimes feasible through the analysis of the unencrypted data and other information The commercial impetus comes from the payments industry, where FPE methods have already been deployed in merchants credit card readers To view the publication, click here NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems Organizations The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry The requirements apply to all components of nonfederal information 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 18 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 systems and organizations that process, store, or transmit CUI, or provide security protection for such components The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations To view the publication, click here NIST Special Publication 800-125B: Secure Virtual Network Configuration for Virtual Machine (VM) Protection Virtual machines (VMs) are key resources to be protected since they are the compute engines hosting mission-critical applications Since VMs are end nodes of a virtual network, the configuration of the virtual network is an important element in the security of the VMs and their hosted applications The virtual network configuration areas discussed in this document are network segmentation, network path redundancy, traffic control using firewalls, and VM traffic monitoring This document analyzes the configuration options under these areas and presents a corresponding set of recommendations for secure virtual network configuration for VM protection To view the publication, click here NIST Special Publication 800-73-4: Interfaces for Personal Identity Verification FIPS 201 defines the requirements and characteristics of a government-wide interoperable identity credential FIPS 201 also specifies that this identity credential must be stored on a smart card This document, SP 800-73, contains the technical specifications to interface with the smart card to retrieve and use the PIV identity credentials The specifications reflect the design goals of interoperability and PIV Card functions The goals are addressed by specifying a PIV data model, card edge interface, and application programming interface Moreover, this document enumerates requirements where the international integrated circuit card standards [ISO7816] include options and branches The specifications go further by constraining implementers interpretations of the normative standards Such restrictions are designed to ease implementation, facilitate interoperability, and ensure performance, in a manner tailored for PIV applications To view the publication, click here NIST Special Publication 800-57 Part Rev 4: Recommendation for Key Management, Part 1: General This Recommendation provides cryptographic key management guidance It consists of three parts Part provides general guidance and best practices for the management of cryptographic keying material Part provides guidance on policy and security planning requirements for U.S government agencies Finally, Part provides guidance when using the cryptographic features of current systems To view the publication, click here ICS-CERT Releases CSET 7.1 ICS-CERT released the latest version of its Cyber Security Evaluation Tool (CSET), CSET 7.1, in February 2016 CSET provides a systematic, disciplined, and repeatable approach for evaluating an organization s cybersecurity posture CSET is a desktop software tool that guides asset owners and operators through a step-by-step process to analyze their ICS and IT network security practices using many recognized government and industry standards and recommendations CSET is distributed freely to the public For additional information on CSET or to download a copy, click here ICS-CERT Fact Sheets ICS-CERT recently published eight updated fact sheets Below are links to access each fact sheet 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 19 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 Industrial Control Systems Cyber Emergency Response Team Preparing for Cyber Incident Analysis Industrial Control Systems Joint Working Group Control Systems Architecture Analysis Services Cyber Security Evaluation Tool Cyber Resilience Review and Cyber Security Evaluation Tool Training Strategy for Securing Control Systems NERC Compliance Tools and Resources Final Lesson Learned Posted To further ensure registered entity confidence in their transition to CIP V5, NERC continued to work with the Regional Entities and stakeholder participants from the implementation study to develop lessons learned and frequently asked questions on specific issues The final BES Cyber Assets Lesson Learned is posted to the CIP V5 transition page The foundational definition for the CIP Version Reliability Standards is cyber assets When cyber assets meet a threshold of BES impact they become BES cyber assets (BCA), which may be grouped by responsible entities into BES Cyber Systems BCS )n Order FERC identified the definition of BCA as is intended to capture assets involved in real-time operations, such as systems that provide input to an operator for real-time operations or trigger automated real-time operations This lesson learned document provides examples of approaches used by Implementation Study participants to identify BES Cyber Assets Additional lessons learned are under development, and will be shared when finalized A link to the CIP Version transition program lesson learned can also be accessed on the U.S standards one-stop shop, located on the standards left-hand navigation panel CIP V5 Evidence Request Spreadsheets Available A component of performing a compliance audit is the gathering of evidence to support audit findings The Regions, as delegates of NERC, perform compliance audits and exercise a degree of independence Historically, this meant each Region issued a request for information prior to the audit and the responsible entity provided the requested information In the course of developing the spreadsheets, the development team met with industry representatives to create a better set of RSAWs Part of the discussion centered on what types of evidence would be requested to demonstrate compliance with the CIP V5 standards Since the RSAWs could not provide that level of detail, industry representatives sought more transparency from the evidence requests that the regions send to responsible entities as part of the audit process Additionally, there was a request from industry representatives to standardize the evidence requests across the ERO this was especially important to responsible entities operating in multiple Regions The CIP Version (revised) evidence request is a common appeal for information that will be available for use by all of the Regions This document will assist the ERO to be more consistent and 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 20 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 transparent in its audit approach It will also help responsible entities (especially those that operate in multiple Regions) fulfill requests more efficiently by understanding what types of evidence are useful in preparation for an audit Evidence request spreadsheets help to: Create a standardized list of preliminary audit evidence required to perform a CIP V5 audit Provide an audit process for the ERO that will provide a consistent approach to the initial request for information for CIP V5 audits Reduce or address regional differences in audit approach that will lead to different audit evidence requests While it is voluntary for industry and Regional Entity auditors to use, the common request for information helps the ERO be more consistent and transparent in its audit approach For more information, refer to the CIP V5 transition web page and CIP V5 evidence request user guide Highlight on CIP V5 Program Resources NERC updated the CIP V5 Curriculum document, which provides numerous resources from NERC and the Regional Entities in three categories: 100 standard-specific training; 200 compliance and enforcement considerations; and 300 lessons learned, guidance and FAQs To view the curriculum, click here FERC Orders Order No 822: Revised Critical Infrastructure Protection Reliability Standards FERC issues a final rule adopting revisions to seven Critical Infrastructure Protection (CIP) Reliability Standards, and also directs NERC to develop modifications and conduct a study Click here to view the order RM15-14-000: Letter Order Granting Extension of Time for Revised CIP V5 Reliability Standards FERC issues a letter order granting an extension of time to defer the implementation of the CIP Version Reliability Standards from April 1, 2016 to July 1, 2016 to align with the effective date for the revised CIP Reliability Standards approved in Order No 822 Click here to view the order NERC Filings with FERC RM15-14-000: Comments of NERC in Response to Trade Associations' Motion in the Revised CIP Standards Proceeding NERC submits comments in response to the motion for extension of time and request for shortened comment period and expedited action of the Trade Associations in the revised Critical Infrastructure Protection (CIP) Reliability Standards proceeding Click here to view a copy of the filing 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 21 of 26 Volume VIII, Issue I: April, 2016 Encari Security Awareness Bulletin Pending Legislation H.R.4350 - To repeal the Cybersecurity Act of 2015 This bill repeals the Cybersecurity Act of 2015 and restores provisions amended by such Act as if it had not been enacted Latest Action: 02/03/2016 Referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations Click here for additional information S.2665 - State and Local Cyber Protection Act of 2016 To amend the Homeland Security Act of 2002 to require State and local coordination on cybersecurity with the national cybersecurity and communications integration center Latest Action: 03/10/2016 Read twice and referred to the Committee on Homeland Security and Governmental Affairs Click here for additional information H.R.4743 - National Cybersecurity Preparedness Consortium Act of 2016 To authorize the Secretary of Homeland Security to establish a National Cybersecurity Preparedness Consortium Latest Action: 03/18/2016 Referred to the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies Click here for additional information H.R.4860 - United States - Israel Cybersecurity Cooperation Act To authorize the Secretary of Homeland Security to establish the United States Israel Cybersecurity Center of Excellence Latest Action: 03/23/2016 Referred to House Science, Space, and Technology Click here for additional information Upcoming Events RF Spring Reliability Workshop April 12-15, 2016; Lew Center, OH NPCC Physical Security Information Exchange FRCC Spring Compliance Workshop May 10, 2016; Cooperstown, NY April 12-16, 2016; Tampa, FL NERC Critical Infrastructure Protection Standards Technical Conference April 19, 2016; Atlanta, GA Texas RE Spring 2016 Standards & Compliance Workshop April 20, 2016; Austin, TX ICSJWG 2016 Spring Meeting May 3-5, 2016; Scottsdale, AZ NPCC Spring 2016 Compliance and Standards Workshop May 10-12, 2016; Cooperstown, NY FRCC 2016 CIP Compliance Workshop May 10-12, 2016; Tampa, FL Texas RE Compliance Monitoring Workshop May 19, 2016; Austin, TX SPP RE CIP Workshop May 24-25, 2016; Little Rock, AR Industrial Control Systems Cybersecurity (301) Training May 9-13, 2016, Idaho Falls, AZ 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 22 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 MRO Reliability Conference Protection Systems RF Fall Workshop May 25, 2016; St Paul, MN September 27-30, 2016; Independence, OH FERC Reliability Technical Conference TRE Fall Standards & Compliance Workshop June 1, 2016; Washington, DC October 13, 2016; Austin, TX NERC 2016 Standards & Compliance Workshop July 12-15, 2016; St Louis, MO Texas RE Compliance 101 Workshop July 20, 2016; Austin, TX Black Hat USA 2016 July 30 August 4, 2016; Las Vegas, NV SPP RE Fall Workshop NERC GridSecCon 2016 October 17-21, 2016; Quebec, Canada SERC Fall Compliance Seminar October 19-19, 2016; Charlotte, NC WECC CUG & CIPUG October 25-27, 2016; TBD FRCC Compliance Fall Workshop November 8-10, 2016; Tampa, FL September 20-21, 2016; Oklahoma City, OK NPCC Compliance Workshop MRO Security Conference November 15-17, 2016; Newport, RI September 27-28, 2016; St Paul, MN MRO CMEP Conference SERC CIP Compliance Seminar November 16, 2016; St Paul, MN September 27-18, 2016; Charlotte, NC Looking for a Helpful Resource? Encari s Website Encari is currently undergoing a full redesign! Not only will it have a whole new look and feel, it will also contain a plethora of new information for your reference Check back in four to six weeks to view our site updates and new content To view Encari s current website, click here NERC CIP Compliance LinkedIn Group Looking for a place to pose a general question or to help others with their questions? Try Encari s NERC CIP Compliance LinkedIn group The NERC CIP Compliance group, which is nearing 4,000 members, has been established to provide a forum within which all parties involved with the bulk power system can collaborate in addressing all considerations pertaining to the NERC CIP compliance life cycle Encari s Email Distribution List Currently up to nearly 3,000 subscribers, Encari has established its email distribution list to provide complimentary resources to all interested individuals in the electric utility industry )f you re interested in being invited to Encari s complimentary Webinars receiving Encari s complimentary quarterly NERC CIP security awareness bulletins (i.e., this and future bulletins), receiving 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 23 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 complimentary reference materials and receiving Webinar presentation materials, subscribe to Encari s email distribution list today by sending your request to emailDL@encari.com NERC CIP Version Indices Encari has released comprehensive indices of topics related to the version five North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Cyber Security Standards in order to assist utilities in understanding and complying with these important and complex new cyber security requirements One of the indices is geared specifically towards assisting senior managers, per the CIP-002-5 R3 compliance requirement, navigate the version five standards while the other index may be used by all others fulfilling various NERC CIP compliance management roles You may access both versions of the indices by visiting: NERC CIP Version Indices Quarterly Security Awareness Resources Encari believes it is extremely important to fulfill its role in contributing to the electric utility industry As such, Encari has been providing complimentary quarterly security awareness bulletins addressing a wide variety of security awareness topics utilities municipalities and cooperatives entire workforces should know Encari has been providing these complimentary security awareness resources since mid-2009 Feel free to peruse our archives and download any security awareness materials, and / or download any of our previous security awareness bulletins, by clicking here NERC CIP Compliance Webinars In addition to quarterly security awareness bulletins, Encari has been providing complimentary Webinars addressing diverse NERC CIP compliance considerations since 2008 Feel free to peruse our archives and download any NERC CIP compliance presentation materials, and or transcribed questions received during each Webinar along with Encari s official responses by clicking here ICS-CERT Critical Infrastructure Feed Recently Published The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) works to reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community, and by coordinating efforts among Federal, state, local, and tribal governments and control systems owners, operators, and vendors Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures Recent alerts are available at https://ics-cert.us-cert.gov/alerts SCADA Security Survival Guide While you need to register in order to access the contents of this survival guide, which is located at http://www.csoonline.com/article/731294/the-scada-security-survival-guide, it is worth it This particular article contains a collection of other articles that have been published by CSO addressing the topics of SCADA security threats and mitigation strategies 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 24 of 26 Encari Security Awareness Bulletin Volume VIII, Issue I: April, 2016 ECT.COOP This great cyber security reference, specifically for coops, is available at http://www.ect.coop/tag/cyber-security Contribute Control Systems Security Articles to Future ICSJWG Quarterly Newsletters Did you know ICSJWG welcomes contributions from the community pertaining to control systems security for its ICSJWG Quarterly Newsletter? If you want to submit an article for the future newsletters, email your information to icsjwg@hq.dhs.gov and ICSJWG will take your submission under consideration for publication RSS RSS (Really Simple Syndication) feeds can be very helpful These subscriptions will keep you and your staff current on the latest news as it hits the web Open source readers and aggregators are readily available; search RSS Readers Subscribing to an RSS feed is a great way to remain current on security issues and regulatory information Below are some of our favorites: Security System News http://www.securitysystemsnews.com/feed/topstories What s New at FERC? http://www.ferc.gov/xml/whats-new.xml FERC Technical Conferences http://www.ferc.gov/xml/technical-conferences.xml US-CERT Cybersecurity Bulletins http://www.us-cert.gov/channels/bulletins.rdf Do you have a topic to include a future Encari Security Awareness Bulletin, feedback or a question concerning any material contained in this bulletin? Contact us at awareness@encari.com 2016 Copyright, Encari, a division of PowerSecure, Inc This Security Awareness Bulletin is provided as a complimentary service by Encari to aid entities in complying with the NERC CIP Reliability Standards Each entity remains responsible, however, for establishing that the dissemination and documented use of this Bulletin meets the requirements under the NERC CIP Reliability Standards Page 25 of 26 Follow Up If you need assistance in support of any aspect of your current NERC CIP compliance initiatives, Encari can help Please contact: Email address: contactus@encari.com Phone: (847) 947 - 8448