The semi-annual Industrial Control System Joint Working Group Conference is traditionally the best place to catch up with everyone in the ICS Security community. DHS puts on a solid program, and there is a certain feeling you need to be here even though there have been little non-conference results from ICSJWG or its predecessor PCSF. Make sure to follow our tweets on day two @digitalbond.
Here’s what happened on day one:
Marty Edwards, the new Director of DHS Control System Security Program, started the day with a low key discussion of the evolution of control systems. It lacked a real call for action or compelling point, but it did clearly demonstrate Marty’s experience working in ICS. I believe he is the first person in that role that comes from the ICS world.
My question for Marty and ICSJWG is how do they measure success with ICSJWG. Is it by number of people attending the semi-annual events? Some useful products coming out of the Working Groups? Measureable increase in information sharing? At PCSF, the annual conference became the main focus and measure of success, but I think DHS has bigger goals and measures for ICSJWG.
Stephan Parker from EnergySec/NESCO provided the best summary I have heard on what NESCO wants to accomplish. NESCO is a bottom up effort to Engage, Equip and Empower the energy sector owner/operations. Engage so far has been attending events, voice of the industry meetings and a variety of other outreach efforts.
Equip was the most interesting with three programs highlighted. The Repository of Open Source Security Solutions for the Energy Sector (ROS²ES) was new to me. NESCO is going to be funding this effort both to create the repository and encourage contributions. They are also focusing on Workforce Development / Training with the NESCO Academy program, which adds to a growing ICS Security training options. The last effort was information sharing that was covered in general terms.
Darren Highfill, representing Southern California Edison, spoke about Smart Grid security efforts through the UCA International User Group and ASAP-SG. ASAP-SG has had success by industry/government funding the initial draft of security profiles that are then handed off to standards and guideline groups for review, comment and revisions. This has dramatically sped up the cycle time for document development and approval. There are security profiles out or almost out for AMI, 3rd Party Data Access, Distribution Management and Synchrophasor Management.
One other note, the Embedded System Security Task Force in the UCAIUG may have some information that would be helpful for PLC/RTU/field device security. Similarly this Task Force should be leveraging the work that ISAsecure has done on embedded system security certification.
Joel Langill of SCADAhacker covered the Luigi vulnerabilities in general and a 7-Techs command execution vulnerability. He tried a live demo that sort of worked, but did a good job of showing the exploit code loading a program, how Metasploit payloads are built and run, and discussions on what an attacker can do. The combination of the demo not working and the low quality projector made this presentation much less than it could have been, but it was still well received. UPDATE: The demo was successfully completed at lunch and was well received.
The morning finished with a presentation from Patrick Beggs from NCCIC and reports from three Subgroups. The Subgroups continue to flounder, or maybe are starting to founder. The Roadmap subgroup did issue the first deliverable and is the group making progress. The Workforce Development subgroup is doing a reboot and the Vendor subgroup continues to talk about the charter. The Vendor subgroup is the most disappointing because it had momentum at PCSF. ICSJWG was complaining that it is not diverse enough with non-vendor members, but what made it effective in PCSF was vendors were able to work through common issues. In general, the ICSJWG subgroups continue to disappoint and don’t get the participation that other ICS security efforts get.
The afternoon and the remainder of ICSJWG has three presentation tracks. It’s a sign of a good agenda that there are often two talks at the same time people want to attend. I got sidetracked with some meetings – – another benefit of ICSJWG is you can meet with clients, partners, vendors … all in one place, so I was only able to attend 2.5 of the sessions.
David Sawin provided an informative, if not a bit scary, talk about DHS work on securing the Transportation sector. There are a lot of sub-sectors here, including pipeline, and many of them are just beginning to address SCADA security. They have done a number of inventory or surveying of systems and are working with some of the main vendors, but little progress in deployed systems to date.
Using rail as an example, they are focused on trying to secure Positive Train Control. David said there were three main vendors in this field, and they are talking to all three. This is a good issue to start with, but only one of many aspects that need securing in rail.
Transportation is beginning its own Roadmap. As you can see, Roadmaps are very popular now in DHS. There were a lot of interesting tidbits in the talk. For example, pilots are ditching their flight bags for electronic flight bags the size of a cell phone that plug into the plane’s information systems.
There was an update from ISAsecure, but it was mostly the same information in our podcast and blogs. We are still awaiting the first ISAsecure certified PLC. It is coming within months according to the speakers.
- There were about 250 people at the peak of the day. I’m not sure what DHS expected, but my guess for success was 400.
- It was a big improvement that the Subgroup reports were limited in number and to 10 minutes. Until there are significant results they shouldn’t get much program time. The Subgroups met on Monday.
- They really needed a stage or something that raised the speaker with the flat, ballroom style venue.
- The projector was low quality and screen was small which made the Langill demo less effective.
- The energy level at the beginning needed to be higher. First couple of presentations need to have big ideas powerfully presented to set the tone.
Image by IntangibleArts