- CIDG and Berkana Resources announced a new security compliance tool, the Comprehensive Security and Compliance Solution. The “comprehensive security” in the name bothers me, but I’m looking forward to spending some hands on time to get a feel for its value in the future. It purports to help track compliance with security standards and measure risk.
- The pace of activity has picked up at ISA99. Next week Working Group 4 is holding a face to face meeting in San Diego for two days, and they are getting good participation with people traveling long distances to attend.
- Industrial Defender announced that GE Energy will be reselling and integrating ID’s security products with their control system solutions. Nice win for Industrial Defender, but the interesting aspect to me is to watch how the various vendors are responding to customer requests for “cyber security”.
- For those who still have Microsoft on the brain when it comes to exploiting missing security patches, take a look at this video from SchmooCon on Attacking Oracle with Metasploit.
Archives for February 2009
After leaving Tokyo I spent some time in Kuala Lumpur and Singapore. These countries and others in Asia are ramping up their education and guidance efforts on control system security. Most of the effort is with the owner / operators because there is not a large control system vendor base in the region outside of China and Japan.
The challenges in many countries is tractable because the list of critical infrastructure organizations and the people who secure them is of a reasonable size for a closed, all inconclusive community effort. This is a small / large issue rather than an Asian issue. For example you can see this in the difference between the US DHS approach and the UK CPNI approach.
Evidence of the growing Asian effort is the SCADA Asia event scheduled for June 17-18 in Singapore. This event is not only the first major regional event, but importantly the organizers and speakers are all from the region. Very cool and I might just attend if I’m close by.
We are pleased to announce the first release of Digital Bond’s Portaledge project. Just in case loyal blog readers have forgotten, Portaledge is a U.S. Department of Energy funded project where control system Historians are used to aggregate and correlate security events to detect attacks.
We selected the OSIsoft PI server as our historian platform because OSIsoft was a very supportive partner in the project and because it has a massive market penetration in the US Energy Sector. So this initial release package is a set of files that allow the PI server to aggregate Availability Events and to alert when an Event is recognized.
Subscribers Can Download the Alpha Release Package
The Availability Event Class includes the following Events:
- Computer System Availability Event
- Network Device Availability Event
- Field Device Availability Event
- Performance Degradation Events – Multiple Events Here for Computers, Field Devices and Network Devices
- Simple Network Availability Event
The Availability Event Class is the first of eight planned Event Classes. Details on the Event, Event Class, Event Taxonomy is available on the SCADApedia.
We would really like feedback on this initial release, so send all questions and comments to firstname.lastname@example.org. We will be blogging on various aspects of the release over the next week.
Thanks again to US Department of Energy for funding this effort and OSIsoft for supporting it with donated products and staff time.
An interesting and quite dangerous situation is playing itself out over the firewall in corporate security. There’s some Adobe 0day being exploited in the wild, and while that alone is enough to make all of the control system admins out there take a quick glance at their firewall rules (Adobe 0day essentially means that an attacker has access to any business network in the world. If you’re targeted someone in your company will open pdf. For the next couple weeks your corp/SCADA firewall is essentially an internet/SCADA firewall. But hopefully most of you think about it like that all the time.) But I think the patch and info disclosure is worthy of a little discussion.
HDM over at metasploits blog has a good writeup on everything if you’re interested in the details, but essentially there won’t be a patch for a bit, so sourcefire vrt has posted not only enough details to create mitigations (or exploits depending on your point of view) but also a homebrew patch to solve this particular problem.
So lets pretend this same thing was happening with some SCADA software, 0day is being actively exploited in the wild and patch isn’t coming for weeks (months). Would you demonize someone like VRT released details about the vulnerability? Would you be angry with the vendor for being slow to react? Whats a timeline for a patch would accept? How about just for a workaround/mitigation? Would the thought of applying a homebrew patch ever cross your mind?
What if the vulnerability was found by a good guy researcher and isn’t, and as far as anyone knows, isn’t being exploited. How does that changes your answers? Should it change it much? Or at all?
In the mean time, until you’ve patched up the Adobe that probably came bundled on a lot of the workstations you may want to make a policy to not allow any new pdfs onto your control systems, whether that’s via ether or sneaker net.
With a few things wrapping up with other projects this week I’ve been concentrating on our Quickdraw project and expanding out the capabilities of snort to be able to do detection and alerting quite a bit easier. Thankfully the good people who’ve created snort have made this a lot easier by providing a way to add dynamic preprocessors that allow us to do much more in depth analysis than the standard rule language allows like checksums in dnp3 or in cases like this where the rule would get convoluted very quickly. The documentation isn’t great, but with a nice writup from the SANS reading room and the preprocessors that a friend of mine, Ben Feinstein, released last year I had plenty of code to work from. After being misled by documentation not matching implementation a few times I’d rather have that anyways.
I’m currently working on the ENIP (Ethernet Industrial Protocol, which is really a terrible name), so the first stop to find if theres a newer version of the specification than the one I have was the ethernet-ip.org that so many sites still point to but it appears to have been taken over by a domain squatter and the ODVA site feels like a circular maze that keeps wanting me to accept license terms and send money…
So, I’ll do the easy thing and let someone else do all that analysis and Ill make sure their aren’t any mistakes. Wireshark, an open source project and a darn fine one, has a protocol dissector built in to take care of ENIP, and a quick grep through the source tree lets me find the code that does just that. And from there things get pretty easy and I can just implement similar logic that Wireshark is using and we’re able to get a pretty well functioning preprocessor with just a bit of work.
Things like this are why open source and open protocols are fantastic for everyone interested in security and monitoring their systems.
Even while some engineers are still dealing with Windows NT (or much older) servers and workstations, Windows Vista and Server 2008 are making their way into control system environments. It doesn’t seem that long ago that I was heading up a committee on whether to upgrade to Windows 2000 or XP, but I digress.
I’ve been working with the audit files that Tenable has for Vista and (very recently) Server 2008. These are coming out of the DISA checklist efforts. So far, there’s nothing surprising about the audit checks. For the types of settings inspected with the audit files — permissions, service policy, security policy, etc… — not much has changed. There are definitely some new security features with 2008, however, that make me wonder if there is still more work to be done.
Dale blogged about the Server Core installation option several times last year but what about some of the other security features? One simple example is the ability to have mutliple password policies. With Server 2003, you could only have one password policy per domain. There are other security features and improvements that range from major (e.g. NAP) to minor, but very interesting (e.g., Auditpol).
Has anyone done a thorough analysis of Windows Server 2008 and Vista security changes and how they apply to control system environments? Please tell me — because if not, I may have just accidentally volunteered for the job.
The past two days I have presented at and attended control system security events in Tokyo. These events are put on by JPCERT/CC and the Japanese Ministry of Economy, Trade and Industry. Wednesday was invite only vendor day with approximately fifty attendees from Japanese control system security vendors, a very strong turnout. There was a mix of presentations in the morning, mine is posted here, including Wurldtech on Delphi and JPCERT on Secure C/C++ coding. In the afternoon Mart Edwards of INL gave a half day of the DHS/DoE funded training materials. This was a big hit.
Today there is an even bigger event with about 75 asset owners, vendors and other interesting parties. Keynotes included Professor Suguru Yamaguchi, who is an advisor to the National Information Security Centre cabinet office in Japan, and Sean McGurk, the Director of DHS Control System Security Program. It was great that Sean made this trip because many of the Japanese control systems are used in US critical infrastructure and vice versa. This was the first time I’ve seen Sean speak and he gave an overview of DHS efforts and brief explanation of about twenty “cyber incidents” on control systems. Good, concise set of incidents.
Sean said, ICSJWG will “allow the private sector to provide direct input to the government”.
I’m presenting this afternoon along with representatives from Toyota, Yokogawa, JEMIMA, JPCERT and the High Energy Accelerator Research Organization.
The content that past two days has been good and the appropriate for the audience. The simultaneous translators are amazing. My major takeaway is the level of effort and community has really increased in Japan over the last two years.
This week DHS announced the creation of the Industrial Control System Joint Working Group [ICSJWG] that will operate under the Critical Infrastructure Partnership Advisory Group [CIPAG]. ICSJWG “will continue the successful public and private partnerships created by the Process Control System Forum (PCSF).”
This comes after the untimely demise of PCSF, and although details are limited, this does not appear to a direct PCSF replacement. The annual PCSF meeting was a one stop shop where you could get an update on almost everything going on in control system security – – standards, what works examples, government initiatives, vertical sector programs, … ICSJWG is more likely to be focused on direct government / industry communications rather than fostering a control system security community.
Just because ICSJWG will not be PCSF II, does not mean it is a bad thing. However, we need a PCSF II, or we will lose some of the progress that has been made over the past 5 years. I know a number of people are mulling this over, as am I, and hopefully some suitable replacement will be available in 2009.
If you followed the Aurora vulnerability or are involved in the nuclear energy sector, then Timothy Roxey is a name that you will certainly recognize. NERC announced this week that he will be coming on board in a newly-created role — Manager of Critical Infrastructure Protection. He’ll be working with CSO Michael Assante on CIP initiatives and will have a leadership role with the ES-ISAC. (Assante’s position is also a recent addition. Still less than a year old, it was a response to last year’s congressional hearings.)
I have to think that adding this position is a positive thing and hope it will result in continuous improvement of NERC’s security efforts. Mr. Roxey brings a lot of valuable experience and we wish him all the best.
Two interesting items in the latest NERC newsletter.
- NERC is creating a group called Hydra. They say “Hydra will create a network of electric industry subject matter experts (SME) to handle modern fast-moving threats to the bulk power system.” There is an open invitation for two hundred SME’s. There are more and more of these pro bono opportunities, and not an increasing number of SME’s. One measure of an efforts success is the amount of participation, although a small number of active participants usually carry the day.
- Mike Assante has an interesting article on “Suspicious Probes”. Looking at activity at utility Internet gateways on control system ports. It is important to take the extra step to verify it is in fact a control system protocol on that port. In past years there was activity on the DNP3 port that caused concern, but closer analysis revealed it was an attack on another application that selected the same port.
And the control system vuln of the week:
- Wesley McGrew has published information on the GE iFix vuln and fix.