We at ControlTrends know that providing your organization with adequate measures against Cyber Threats and Attacks can be a difficult program to get started and even more difficult to sustain. The National Cyber Awareness System, NIST Cyber Security Framework, and US-CERT are great sources of free information that will not only get you started, but help you maintain a well-managed program.
National Cyber Awareness System:
The Australian Cyber Security Centre (ACSC) has released updates to its Essential Eight Maturity Model. The model assists organizations in determining the maturity of their implementation of the Essential Eight—ACSC’s list of the top mitigation strategies to help organizations protect their systems against adversary threats. The model identifies three levels of maturity for each mitigation strategy.
ACSC is the government authority for providing protective security advice to the private sector and state and territory governments across Australia’s national infrastructure.
ControlTalk NOW — Smart Buildings VideoCast and Podcast for week ending November 22, 2015 announces the 2015 ControlTrends Awards Finalists! Cybersecurity SITREP from SmartCore’s Fred Gordy, who invites the ControlTrends Community to use SmartCore’s free on-line Criticality and Threat Assessment survey. US-CERT’s I3C Public Service Announcement and Cyber attack update; Lynxspring’s Onyxx E2E Solution; Sierra Monitor Corporation’s Telecom Site Case Study; FIN Stack Lunch ‘n Learn; and Therese Sullivan writes about the CoRE Tech Silicon Valley event and the slow adoption rate of Smart Building technology.
EasyIO Certification Training in December at Cochrane Supply, MI. With our latest EASYIO 32-bit range of DDC products, you can now build your Automation solutions from top to bottom, with various OPEN programming tools. With the EASYIO range of IP DDC Controllers, now available and selling worldwide.
30 Minutes with Lynxspring Webinar Series – Professional Services – New Onyxx Products. The 30 Minutes with Lynxspring Webinar Series continues on Wednesday, November 18th, at 12:00 PM CST. Session 6 – Lynxspring’s New Onyxx Products. Overview: Our IoT world increases the number of smart equipment, systems, and devices — creating tremendous intelligence at the edge.
Announcing SmartCore’s Free, Online Criticality and Threat Assessment (CATA). Online Assessment at NO CHARGE to you! SmartCore has developed an online assessment tool that gives building and portfolio management a high level assessment of each building free of charge. Contact firstname.lastname@example.org to receive your assessment link. SmartCore will translate your answers to this short survey into a Threat Assessment Scorecard as well as a prescriptive Cyber Risk Mitigation Plan that we can help you implement to strengthen your defense against attacks.
Sierra Monitor Corporation Case Study on Telecom Site Remote Monitoring. Telecom Site Remote Monitoring: The telecommunications industry includes regional operating companies, traditional long distance carriers, wireless carriers, and cable and satellite service providers; they all deliver voice, data, and video services. Sierra Monitor Corporation shares its extensive expertise about this universal, yet challenging application.
Internet Crime Complaint Center The Internet Crime Complaint Center (IC3) has issued an alert warning that law enforcement personnel and public officials may be at an increased risk of cyber attacks. In addition to doxing (the act of gathering and publishing individuals’ personal information without permission), threat actors have been observed compromising the email accounts of officers and officials. These target groups should protect their online presence and exposure.
Stromquist Company Hosting Lunch ‘n Learns for FIN Stack. Our Authorized FIN Distributor Stromquist is hosting two free informational Lunch ‘n Learns. The first is at their Atlanta office Thursday Nov 19th from 12:00 – 1:00 EDT, and will be available also remotely via live stream at ControlTrends The sesond session will be at Orlando office Tuesday November 24 from 12:00 – 1:00 EDT.
Therese Sullivan Puts the Full Court Press on CoRE Tech’s Silicon Valley Message: ‘Just Do It.’ (By therese554) Smart Building technology isn’t being adopted at the pace expected. Why aren’t more property owners getting off the sidelines? Chicago Bulls Basketball star Michael Jordan inspired a lot of sports watchers to become sports Do-ers in the 1980s and 90s. And, of course, there was the ‘Sneaks.’ Can tech-firm smart building All Stars be as motivating? Are their methods and tools a fit for the rest of us?
ControlTalk NOW Special Guest: SmartCore’s Director of Cybersecurity expert Fred Gordy. Fred is responsible for the technology strategy and cyber security for control systems. Fred’s portfolio includes projects military bases, internet data centers, national retail chains, an international media company, REIT’s, and research labs. Fred has contributed and/or been featured in the Wall Street Journal, CNBC, Fox, HPAC Engineering, Retrofit Magazine, Building Context, Healthcare Facilities Today, and BOMA FacilitiesNet.
The Internet Crime Complaint Center (IC3) has issued an alert warning that law enforcement personnel and public officials may be at an increased risk of cyber attacks. In addition to doxing (the act of gathering and publishing individuals’ personal information without permission), threat actors have been observed compromising the email accounts of officers and officials. These target groups should protect their online presence and exposure.
ControlTalk NOW for the week ending August 16, 2015 focuses on Cyber Security Awareness with a vulnerability summary from the National Cyber Awareness System, Tridium’s Niagara AX security updates, and Fred Gordy’s BAS exposure report from the Shodan site. Delta Controls’ Und de Boer shares her insights about “Doing Things Right.” Join Chris Ryan and “30 Minutes with Lynxspring,” and another great application from Data Center Monitoring experts, Sierra Monitor Corporation.
National Cyber Awareness System: SB15-222: Vulnerability Summary for the Week of August 3, 2015 08/10/2015 06:14 AM EDT. Original release date: August 10, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT).
Sierra Monitor’s Featured Application — Data Center Monitoring. Sierra Monitor — Experts in Data Center Monitoring Applications. A data center is a facility used to house networked computer servers and storage systems that are securely connected to the Internet. A data center generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, gas detection, fire suppression), and physical access control systems.
Niagara AX Updates Available Now — Versions 3.6, 3.7, and 3.8 are Affected. Niagara AX updates available now. Versions 3.6, 3.7, and 3.8 are affected. The August 2015 Update Releases are available for download on Niagara Central. The updates include important enhancements that increase the security of a Niagara AX system, including a newer revision of the Java Virtual Machine. VYKON strongly encourages all customers to update Niagara AX to one of the newly available releases.
“30 Minutes with Lynxspring” Webinar Series – August 19, 2015. We are always thinking of ways we can help you maximize your company’s productivity and profitability.This month’s “30 minutes with Lynxspring” discusses the services we provide through our Professional Services Group and how they will help you turn projects over quicker, maximize resources and productivity, allow you more time to increase your customer base, pay more attention to your existing customers, and have the time to spend in front of them discussing additional opportunities.
What Makes a Company Great? It starts with their Philosophy. As we prepare for the nomination period for the 2015 ControlTrends Awards, I am reminded of how many great people, products and companies we have in our industry. It made me wonder what is at the core of these amazing players that make up the Building Automation Controls and HVAC Group. I came across this video and post from Una de Boer, the director of marketing at Delta Controls. Una is one of the bright, hardworking, thoughtful people in our Industry and does a wonderful job of answering my question. So, with her permission, please check out the following video and Una’s words from one of her LinkedIn posts.
Top US Cities With Exposed Niagara Systems. (Disclaimer – It is not the intent of this post to point out a particular BAS software vendor. The intent is to show that we, the system integrator, still have work ahead of us to do our part.) The information I list below I got by running a report on Shodan today (8/13/2015). And it didn’t cost a dime and I didn’t have to use any query language… just plain ole English. I opened the site (https://www.shodan.io/) and in the search bar I typed “niagara”.
National Cyber Awareness System: SB15-222: Vulnerability Summary for the Week of August 3, 2015 08/10/2015 06:14 AM EDT
Original release date: August 10, 2015 The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities Primary
Vendor — Product Description Published CVSS Score Source & Patch Info
chiyutw — bf-660c Chiyu BF-660C fingerprint access-control devices allow remote attackers to bypass authentication and (1) read or (2) modify communication configuration settings via a request to net.htm, a different vulnerability than CVE-2015-5618. 2015-07-31 7.5 CVE-2015-2871 CERT-VN
chiyutw — bf-630 Chiyu BF-630 and BF-630W fingerprint access-control devices allow remote attackers to bypass authentication and (1) read or (2) modify (a) Voice Time Set configuration settings via a request to voice.htm or (b) UniFinger configuration settings via a request to bf.htm, a different vulnerability than CVE-2015-2871. 2015-07-31 7.5 CVE-2015-5618 CERT-VN
cisco — ios_xe Cisco IOS XE 2.x before 2.4.3 and 2.5.x before 2.5.1 on ASR 1000 devices allows remote attackers to cause a denial of service (Embedded Services Processor crash) via a crafted series of fragmented (1) IPv4 or (2) IPv6 packets, aka Bug ID CSCtd72617. 2015-07-31 7.8 CVE-2015-4291 CISCO
dell — bios The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile Workstation, and Precision Workstation Client Solutions (CS) devices with model-dependent firmware before A21 does not enforce a BIOS_CNTL locking protection mechanism upon being woken from sleep, which allows local users to conduct EFI flash attacks by leveraging console access, a similar issue to CVE-2015-3692. 2015-07-31 7.2 CVE-2015-2890 CONFIRM CERT-VN
garrettcom — magnum_10k_firmware The firmware in MNS before 4.5.6 on Belden GarrettCom Magnum 6K and Magnum 10K switches has a hardcoded serial-console password for a privileged account, which might allow physically proximate attackers to obtain access by establishing a console session to a nonstandard installation on which this account is enabled, and leveraging knowledge of this password. 2015-08-03 7.2 CVE-2015-3959 MISC CONFIRM
gehealthcare — entegra_p&r_firmware GE Healthcare eNTEGRA P&R has a password of (1) entegra for the entegra user, (2) passme for the super user of the Polestar/Polestar-i Starlink 4 upgrade, (3) 0 for the entegra user of the Codonics printer FTP service, (4) eNTEGRA for the eNTEGRA P&R user account, (5) insite for the WinVNC Login, and possibly other accounts, which has unspecified impact and attack vectors. NOTE: it is not clear whether this password is default, hardcoded, or dependent on another system or product that requires a fixed value. 2015-08-04 10.0 CVE-2001-1594 MISC MISC CONFIRM