S4x15 OTDay Presentations Are Up

cigarlogofinalWe have posted the presentations from Tuesday’s Operations Technology Day (OTDay) of S4x15. The purpose of OTDay is to provide very practical information on how to apply mission critical IT technology and processes to OT.

There were 150 people in attendance for this bonus day / early start to the week.

In addition to the OTDay sessions, the ICS Village opened and the Capture The Flag competition began. Sponsors all had tabletop displays lining the bustling main hallway.

The event was capped off with the Welcome Party sponsored by PFP Cybersecurity and Waterfall Security Solutions. It was a Cuban themed party with cigar rollers, mojito’s, Cuban food, domino contests, and absolutely perfect weather this year.

15 Reasons to be Optimistic about ICS Security in 2015

2014-2015This is the companion article to our 15 Reasons to be Pessimistic about ICS Security in 2015 that we ran on Friday. On Wednesday I’ll lay out what to look forward to in 2015 based on these two contrasting articles.

Many of the items below come from experiences with clients, peers and ICS community friends. They are not as visible as most of the pessimistic items, but they are activities going on in real companies making real progress on these issues.

  1. Many large asset owners, those with 10, 50 or 100 ICS spread around the world, are deploying ICS security programs across all sites with required security controls and metrics that management is tracking.
  2. The mainstream press remains hot on ICS security stories.
  3. Multiple high quality ICS security training options are available.
  4. Application whitelisting deployed on ICS computers with and without vendor blessing.
  5. Some universities are now performing true ICS security research.
  6. More ICS vendors are implementing an effective security development lifecycle (SDL).
  7. The NIST Cybersecurity Framework is launching C-level discussions and programs.
  8. Governments around the world are now engaged in this problem. Varying approaches, different results.
  9. Peer pressure … multiple examples in 2014 where ICSsec projects were launched because competitor/peer was doing it.
  10. Virtualization is becoming a mainstream deployment option.
  11. Greater acceptance of the need for an inventory, data flow diagrams and other basic documentation.
  12. Leaders in wide variety of sectors beginning ICS security efforts. It’s not focused on electric, petrochem any more.
  13. Wait … we are still running Windows XP? Management awakening to state of cyber maintenance neglect and finding it unacceptable.
  14. Vendors are, admittedly still slowly, adding security posture acceptance tests to FAT and SAT.
  15. Large consulting practices, i.e. IBM, PWC, …, are creating ICS security teams.

What would you add to the list?

Image by PixelVikings

  • Critical Intelligence

15 Reasons to be Pessimistic about ICS Security in 2015

15785032748_631f340d00_m

If this is too depressing, wait for Monday’s article 15 Reasons to be Optimistic about ICS Security in 2015.

  1. Almost all ICS protocols are still insecure by design with no end in sight. Access to ICS = Compromise.
  2. Most potentially influential organization, US Department of Homeland Security (DHS), still will not say critical infrastructure ICS need to be upgraded or replaced. Playing small ball with little or no impact.
  3. No legitimate or reasonably honest and objective Automation Press to reach engineers and technicians.
  4. ISASecure stamp is still being put on insecure by design PLC’s and other embedded devices.
  5. Influential ARC Advisory Group saying 20-something controlling the plant from his basement is inevitable and focus on securing it.
  6. SCADA Apologists still dominate the ICS security thought leader / guru / industry and government expert positions.
  7. Admiral Rogers NSA/US Cyber Command testifies that our lack of defense is why we need to have a strong offense in ICS security.
  8. Malware targeting ICS applications and protocols.
  9. ICS vendors seeing no negative financial impact to vulns/insecure by design product offerings. They are fearlessly saying our product offers no security.
  10. The Internet of Things is confusing ICS security efforts.
  11. “Nothing will change until something really bad happens” mantra.
  12. Even when an ICS vendor has well documented security controls, the ICS vendor or integrator more often than not installs the ICS in most insecure/easiest to install configuration.
  13. CSET.
  14. Continued fascination and focus on vulnerabilities that matter little to critical infrastructure ICS risk.
  15. Widespread misuse of defense-in-depth principle, just put up more security perimeters, as the solution for ICS security issues.

Holistic.

Image by cal 00-0

Friday News and Notes

Letter FGet your S4x15 Hotel Reservation at The Surfcomber today or tomorrow. They still have rooms for Tuesday through Friday nights at the $249 conference rate. The non-conference rate is $529.

We are in the fourth and final tier of S4x15 registration. Seats 151-190 and they are going fast. 36 seats left at the time of this writing.

I’ve been heads down writing assessment reports, so haven’t had time to comment on the attack on Sony Pictures. Probably a good thing as I would have just added to much of what has been mostly speculation without facts. The most relevant aspect to ICS to watch is the response. We better understand the expected response to an actual war, in Thomas Rid’s definition. How companies and countries will react to attacks by ICS cyber weapons that cause economic damage, environmental damage and perhaps minimal loss of life is a wild guess at this point. How many people would have predicted capitulation if you ran the Sony Pictures scenario past them before it occurred.

The more relevant attack news this week came from a German BSI report on ICS attacks in Germany and neighboring countries. (Thanks to Stephan Beirer of GAI NetConsult for the tip and translation.) They discuss some incidents related to Havex, but the most interesting is the attack that damaged a steel plant. It was from the easy to accomplish attack vector of spearphishing people who have remote access to the ICS. “The results were massive damage to the system” (translated).

Less attention has been paid to the disturbance in the Austrian power grid covered in Section 3.4.2 of the BSI report. “The failure was probably due to a Control command issued during the commissioning of a gas system in Southern Germany … triggered errors and also reached Austrian power grid. … This caused major disruptions to Instrumentation and control system for network control. … The grid stability could during the incident be ensured only with great effort.” (translated) We are trying to find someone to speak to this report at ICSage and would appreciate any tips or referrals.

Whose Code Is It, Anyway?

spaghetti_YusukeKawasakiThreatpost and a handful of other news outlets are reporting on a worm actively exploiting the Shellshock bug against unpatched NASes.  As an aside I find it a bit strange that the attackers are only performing clickjacking attacks — a much more obvious attack would be to use CryptoLocker or other data ransomware, since the current worm is targeting storage devices.

The question becomes, whose job is it to find and patch these kinds of bugs?

I hate to always say ‘the vendors,’ although that is my default response.  Vendors however often don’t have the personnel to do reviews on code that they write themselves, let alone to review external code.  Third-party components are usually open source and are often volunteer-driven.

I feel that a group of vendors would be well-served to get together and fund code reviews for commonly-used components. Those vendors could then share back those findings with the public, or, at their discretion, keep the findings internal to their group for proper patching. ‘Collaboratition,’ is a phrase often used in national labs for this kind of information-sharing — not ideal financially, but oftentimes it is the right thing to do (or the only way to get it to work).

Lightweight web servers seem like a good candidate for review, since so many embedded systems make use of them.  We came up with our list of candidate servers based on devices in our lab, then searched for fingerprintable servers on Shodan to get a feel for their popularity overall.  Results are rounded to the nearest 10,000 to help anonymize the actual software that we’re looking at:

Server A: 150,000
Server B: 100,000
Server C: 80,000
Server D: 60,000
Server E: 20,000

We then went ahead and did a cursory code review on every server that we could find code for. This review was just a really basic ‘grep’ analysis, looking for unsafe uses of unsafe C functions: blind strcpy() calls or strncpy() calls that use user-supplied lengths, uses of malloc() that never check for success, calls to sprintf() that never check lengths of input.  Our ‘code quality’ analysis is a generalization based on how much of a headache we got looking at the code: the bigger the headache, the more unmaintainable the codebase is and the more it will cost to fix.

Read More

Friday News & Notes

SCADA Security NewsThe big story of the week was from Bloomberg’s Robertson & Riley: Mysterious ’08 Turkey Pipeline Blast Opened New Cyberwar Era. While the headline isn’t correct, the sourcing is anonymous and some of the technical conclusions are wrong, this is a great example of what cyber weapons may be used for in the future. There may be, and I’d argue will be, many uses of ICS cyber weapons that will not be “war”. I’m looking forward to these discussions at ICSage.

The US House and Senate passed some cybersecurity legislation this week. It will have little impact on critical infrastructure / ICS security, but now the Representatives and Senators can say they did something. It is truly sad if Rep. Meehan is correct in saying, “S. 2519 is the first significant cyber legislation in a decade and among the most important legislation that has been passed this Congress.” You can judge for yourself. Here is the House write-up of the benefits of S.2519 National Cybersecurity Protection Act.

Bedrock Automation has been in semi-stealth mode, if there is such a thing. They have been positioning a “clean sheet of paper” approach to ICS and ICS security. Building a new system from scratch. Details have been and are still very limited, but they released a white paper this week.

Adam Segal from the Council on Foreign Relations published The Top Ten Cybersecurity Incidents in China of 2014.

Not sure exactly when this was published in 2014, but also worth reading is Chris Valasek and Charlie Miller’s A Survey of Remote Automotive Attack Surfaces.

The US Dept. of Homeland Security (DHS) will provide research funding for two somewhat ICS security related topics: Privacy Protecting Analytics for the Internet of Things and Enhanced Distributed Denial of Service Defense.

 

 

ICS Village CTF Update

We have updated the ICS Village page on the S4x15 site. The network diagram is updated so now you will see that there will be Wonderware, Open BACnet stack, and Modicon PLC on the network. The next update will include an almost full list, we will keep a couple of surprises, of the software and hardware and the network.

Of more interest may be the example flags that have been released. Some of the wording is intentionally vague to not give too much away.

  • What is the Vendor Name on the BACnet Controller?
  • What is the Modicon PLC password?
  • Identify a specific tag value.
  • Identify the attacker from a provided firmware image.
  • Create an IDS Signature to detect an attack from a previous flag.

There is a lot of work to be done in preparing the ICS Village, but a status review this week has me very excited about the environment and competition that will be available to the attendees.

Aqualillies at S4x15

aqualillies3

The South Beach Pool Party will be at the Surfcomber Hotel on Thursday after the S4 Technical Sessions. We are pleased to announce the entertainment for the party … The Aqualillies!

This synchronized swimming group will perform a few numbers in the great Surfcomber pool and then mingle and take pictures. They have performed at TED, Disney World, award shows and other great events.

The pool at the Surfcomber is the perfect venue for the party and this entertainment with balconies, the pool deck, and of course the ocean view at sunset.

I like the Aqualillies mission statement:

Our goal is to inspire people with beauty, grace, and spectacle, bringing to life the magic of the universe through synchronized swimming and dance. By following our dreams we hope to encourage others do the same: to free their imagination, seek out adventure, believe in themselves and their power to make the world a better place. We are reinventing water ballet for the new millennium!

Screen Shot 2014-12-09 at 11.23.01 AM

We have some other fun surprises for this very unusual ICSsec event.

After the party you will be right in the heart of South Beach so you can grab dinner, more drinks, go to a club or just people watch. We will have a bus going back to the Trump at 11PM for those wanting to stay down in South Beach post party.

Registration Update

The registration count is at 126. This means there are 24 seats left at the tier 3 price and only 64 seats left in total. You need to book now if you want to get your spot at S4x15 Week.

Hotel Update

The room block at the Trump International is SOLD OUT. There are still rooms left at the conference rate at the Surfcomber Hotel in South Beach (where the party on Thursday will be held). This room block is available until December 20th so book your room now.

S4x15 Advanced Training Classes

S4x15 attendees have some choices for the Friday activity. There is the ICSage: ICS Cyber Weapons conference and now two one-day advanced training classes. We pick classes that will teach students with the right experience a new, leading edge skill in one day. These classes are typically being taught for the first time. The two classes this year are:

CANBus Hacking

Instructors: Corey Thuen and Reid Wightman of Digital Bond

Corey has been digging into CANBus as part of his research project he will present in the S4 Technical Sessions. He learned a lot and wants to pass that along to the students.

There is no way to do this course without the right hardware. So there is a $100 hardware supplement so every student will have a BeagleBone with CANBus Cape they can use in the course and take home with them.

Why Should the Red Team Have All the Fun?

Instructors: Jim Gilsinn and Bryan Singer of Kenexis

Jim and the Kenexis team have developed a new ICS lab environment that they can bring on the road. So there will be some instruction focusing on defensive techniques and then the class will have a Red/Blue competition.

Each lab pod will have three students on each team and some of the lessons learned will be on the techniques and reasons why the various teams won and lost.

——

The 100+ that have already registered for S4x15 should have received an email on how they can switch from ICSage to the class or add the class if they want.

Seats for each class are limited and look closely at the required knowledge. You will be left behind if you don’t have the required knowledge.

Send In The Drones, S4x15

Drones

This year we have a fun addition to the S4 Cocktail Party held on the Kovens Center deck overlooking the Intracoastal Waterway … drones. We are bringing in CineDrones to let attendees fly a drone through an obstacle course. They claim the drones are virtually indestructible, and I’m sure some first time pilots will put this to the test. We will have prizes for the best times on the course.

CineDrones will also pilot a drone overhead with a camera and display the events on screens inside and outside. Kovens does a great job with the food at this event, and it’s always fun to relax on the deck at sunset after a long day of hardcore ICSsec technical talks. cigar-roller2The Welcome Party on Tuesday is sponsored by PFP Cybersecurity and Waterfall. It is a Cuban themed party down on the beach at the Trump International. We have cigar rollers, domino tables, Cuban food and drink and music, and some other fun surprises. This was a big hit even in unseasonably cold weather last year, so we decided to run it back for another year. The South Beach Pool Party is the big finish of the S4x15 social events on Thursday. We have some fun surprises for this that we will disclose next week. Stay tuned.