S4x14 Video: Threat Categorization from the Defender’s Perspective

Bri Rolston for Idaho National Laboratory (INL) session focuses on a defender using threat intelligence. She makes a hypothesis – “Why isn’t threat intelligence better utilized? The problem is a consumption issue, not data availability”.

Bri defends that hypothesis and then focuses on how a defender should use threat intelligence.

S4x14 Video: Language Theoretic Security Applied to ICS

We were thrilled to have some of the world’s top security researchers enter the ICS world and present at S4x14. In this case, S4 veteran Darren Highfill introduced langsec pioneers Sergey Bratus and Meredith Patterson to the world of ICS, and they worked together to give a novel talk to the ICS community.

After an introduction to langsec, they look at the DNP3 protocol. They actually created a DNP3 parser using the Hammer parser generator library. But you start to see the problems, or challenges, in a robust DNP3 protocol stack with the context dependency between the three DNP3 layers.

The money quote from the session was “Your parser two layers down from where you started parsing the packet has to be able to refer back up to its ancestor just to know how many bytes it is suppose to parse. This puts us way, way, way out in to heavily context sensitive territory.” After listening to this talk it is not surprising that DNP3 protocol stacks are bug filled.

The presenters actually worked with Adam Crain & Chris Sistrunk to analyze a specific Project Robus DNP3 protocol stack vulnerability from a langsec perspective. The DNP3 protocol requires a Transport Frame to have at least one valid APDU. Bad things happened when this was violated.

I found myself writing down a number of notes to think about more from this session.

  • Context Dependency – Do you have to have additional information to determine the value or meaning.
  • Weird Machines – Hidden functionality unintentionally built into a device.
  • You save when you throw out bad input early.
  • Computational power is a privilege; don’t expose it to an attacker too early.
  • If you want fast, simplify your language.

S4x14 Video: Graph Theory for Incident Response in Smart Grid

I challenge S4x14 speakers to have so much technical meat that they leave 1/3 of the audience behind, Seth Bromberger of NCI Security took me up on this in a math heavy talk on incident response in a smart grid network. However he explains the graph theory with easy examples from typical smart grid deployments so loyal readers will understand the concepts even if they don’t want to do the math.

Many of you probably remember the IOActive videos showing a worm propagating through a smart grid network. Seth’s session looks at how to stop the worm from propagating through a variety of graph theory strategies such as Degree Distribution Cull, Betweenness Cull (the most promising strategy) and Shortest Paths.  I found the Interdiction Problem to be interesting and something to consider for SCADA systems.

On a related note … the random mixing assumption in the epidemiological models doesn’t hold for the smart grid.

Friday News & Notes

ICS Security NewsThe court battle between Battelle/INL and Corey Thuen at Southfork Security is over. The settlement agreement gives Battelle all rights to Thuen’s Visdom product. While the case hinged on whether Visdom was a copy of Sophia and the Thuen employment agreement, the courts reaction to “you called yourself a hacker so you will break the law argument” and the lame national security impact contention were what made it worth watching. Now clear of entanglements with INL, Theun could start over and build a similar product, but neither Sophia or Visdom were hardly novel or even competitive with more full featured solutions.

Microsoft introduced a new version of their free threat modeling tool. We used their old tool in consulting projects, and look forward to trying out and writing about the new version. One immediate plus is it no longer requires Visio. Microsoft has included a drawing tool in the package.

Bloomberg reported “Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption”. We will be seeing this in slide decks.

WOW! NYISO unveiled their new $38M control center with a 2300 square foot video wall. There are a wide range of opinions on what makes a useful control room, but this one will certainly make an impression on visitors.

Wireshark added another ICS protocol dissector … Landis & Gyr (Telegyr) 8979.

And we probably need to put a note in about Heartbleed. There have been a few ICS-CERT advisories on the issue. Asset owners should look at SSL remote access to the ICS and SSL to security perimeter devices for management. Pre-Heartbleed, remote access to ICS should have been physically disconnected except for when emergency support is required.

Image by ChrisinPlymouth

S4x14 Video: Poor API’s Lead To Integrator Provided Vulns

Rotem Bar of Limpox Advanced Solutions closed out S4x14 with a look at how integrators can introduce vulnerabilities into an ICS. This point was actually brought out as well by Sistrunk and Crain with the DNP3 vulns. In that case the TMW master station was not vulnerable to the Project Robus attack methods, but some vendors who had implemented the TMW stack in their master station fell over when fuzzed.

Rotem looks at an example API, from GE Cimplicity, and finds a lack of validation, control and unnecessary features. He then proposes an architecture to resolve many of these issues.

Friday News & Notes

f15The Crain/Sistrunk disclosed vulnerabilities from fuzzing of master stations have all been related to DNP3 protocol stacks … until today. ICS-CERT announced the first Modbus protocol stack vulnerability from Project Robus. Welcome to the party Modbus.

We normally don’t bother commenting on ICS-CERT alerts or advisories, but since we broke that rule already … the latest advisory update on an Allen Bradley denial of service vuln is another reminder that vulns and patching matter little in this insecure by design world. Why worry about a vuln that can cause a denial of service when an adversary can send a legitimate EtherNet/IP Stop CPU command?

Siemens and McAfee announced they “are extending their partnership to enhance the security offerings for industrial customers to protect against rapidly evolving global cyber threats.” Hard to tell if this is marketing fodder or more. The ICS vendors are choosing partners to work with for application white listing, security monitoring and other solutions. Symantec and McAfee being the major players along with the newest Lockheed/Industrial Defender combo.

Innominate’s mGuard was one of the first industrial field firewalls. At Hannover Messe this week they announced support for OPC. The “OPC Inspector masters the complex connection tracking of OPC dialogues across their changing ports and connection directions, thus enabling an effective control and filtering of OPC based on the stateful inspection firewall principle”. They sell a virtual machine software version in addition to the physical, industrial rated module.

S4x14 Video: Are Risk Based Approaches Bound to Fail?

The Great Debate topic for S4x14 was:

Are Risk Based Approaches Bound to Fail in Securing Critical Infrastructure ICS?

The idea for the topic was a Bound to Fail paper by Ralph Langner and Perry Pederson for the Brookings Institution. We had Jim Gilsinn of Kenexis and Marc Blackmeer of Cisco arguing that risk based approaches are helpful and necessary. Zach Tudor of SRI and Mike Ahmadi of Codenomicon making the case that risk based approaches are bound to fail.

After the four of them argue the issue for 25 minutes it is thrown out to the audience for the remaining 25 minutes. You will see the S4 attendees are not shy about giving their opinion and mixing it up.

Friday News & Notes

Friday SCADA Security News and NotesHave a great research idea for “Automatic Detection and Patching of Embedded Systems”? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant to the item. FYI, this SBIR was what initially funded our SCADA IDS signatures and preprocessors that are now integrated into most commercial IDS.

SANS announced they will be teaching their new week-long ICS 410 ICS/SCADA Security Essentials class in Tokyo, Nov 10-14. The course will be taught in English and simultaneously translated into Japanese.

Critical Intelligence released there annual ICS Security Trends and Analysis Report, for purchase. The analysis of the quality and quantity of the new ICS vulnerabilities is the sizzle, but the most useful information is on new attack and defense techniques, threats and information that will help your detection efforts.

The National Institute of Building Sciences announced two workshops, for a fee. “The Introduction to Cybersecuring Building Control Systems Workshop and theAdvanced Cybersecuring Building Control Systems Workshop are both built around” the new Cybersecurity Framework. BYOBACnet script.

Image by TooFarNorth

S4x14 Session: You Name It; We Analyze It

Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.

S4x14 Session: At Least Pretend You Care

UPDATE – The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean.

Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.

If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.

I have some hope that the vendors will learn and get better. I have little hope that ICS-CERT will improve because they have yet to admit they are lacking. The ICS industry doesn’t help by praising the fact that they are putting out so many more Alerts and Advisories than in years past. They could let US-CERT or CERT/CC handle at least 95% of these and truly use their ICS expertise to dive deep in the 5% that matter.