I was talking a while ago to Justin Engler, a friend who also happens to be a really talented web app and mobile app security researcher, about the popping-up of ICS management software for mobile devices. He theorized that mobile apps for ICS would be an interesting place to watch for bugs nearly three years ago. Dale’s recent ICSJWG Q&A over mobile device security gave me a little motivation to dig into some sample apps and see how the field actually looks. The results highlight some of the issues that your organization will run into if and when you decide to adopt mobile.
The focus of this post is not just application security. While there are a few specific vulnerable applications mentioned, I think that the big lessons should be ones of architecture and integration challenges. The current lot of ICS management apps pay little mind to securing access or preventing bad operation. Even an app with ‘secure’ on its product homepage may leave you wide open.
I decided to pick on Android simply because my only jailbroken iOS device at the moment is so terribly destroyed from years of abuse that installing new apps is a nonstarter. There also seems to be more interesting control systems apps for Android at the moment.
A quick survey of Google’s Play store for terms such as ‘SCADA’’, ‘PLC’, and ‘OPC’ turns up a few applications worth checking out. Unfortunately there are no apps that I could find which do what Dale prescribes: obtain safe, accurate, remote, ‘read-only’ access to control system data. Doing so will require a lot of backend work on your part.
Let’s take a look at two interesting vulnerable applications.
After the PG&E substation shooting, FERC had ordered NERC, as the ERO, to develop and submit a Physical Security Reliability Standard within a very short time frame for this type of work. NERC complied and now FERC says they will approve the standard with two changes. FERC wants the ability to add or remove facilities from the critical facilities list. While they say this would be “exercised only rarely”, this is a crack in the door or slippery slope that is likely to give utilities heartburn. FERC also wants to replace “widespread instability” with “instability”. There needs to be an adjective in front of instability.
Critical Intelligence is holding a one day conference and two days of training called CounterIntel, Sept 16-18 in Park City, UT. The two day training is to help you be a more effective Cyber Intelligence Analyst, and the whole event is limited to owner/operators. Living in the Park City area, I can tell you it is a great time to hold a conference here.
Read the Kyle Wilhoit of FireEye article on how Havex enumerates OPC Servers. Great work.
The automobile sector has started the Auto Information Sharing and Analysis Center (Auto-ISAC). ISAC’s have a very mixed record based, but it seems every sector will have one.
Image by ChrisinPlymouth (the F king)
The S4x15 Week Call for Papers/Presentations is now out.
Send us your session ideas asap to have the best chance of getting on the agenda. All we need is a short description and time requirement mailed to firstname.lastname@example.org.
We are calling it S4x15 Week now because it goes Tuesday – Friday (Jan 13-16 in Miami Beach):
- Tuesday – OTDay and ICS Village Opens
- Wednesday – Day 1 of S4x15
- Thursday – Day 2 of S4x15
- Friday – ICSage:ICS Cyberweapons and Advanced Topics ICS Security Training
The CFP gives more detail on each day and the type of sessions we are looking for.
I wish that we could sit back and wait for all the great sessions to come in, but history has shown that we need to hunt for this great work and unknown talent. If you see or hear about anything that we should chase for S4x15 week, please let us know.
Last year was a big step forward for the ICS security community. We moved past low hanging fruit; we brought in some top security researchers from outside the ICS space; and there was a new focus on what an attacker would do after successful exploit.
We are looking forward to seeing some new and amazing work for S4x15.
Way back at the Spring 2014 ICSJWG meeting, Dale announced that Digital Bond is opening a new division — Digital Bond Labs. This week, we are officially opened for business…and we are hiring.
Digital Bond has a long reputation for building the tools that other ICS consultants use ten years down the road. It seems that every other talk given in the ICS security community lately make reference to Digital Bond’s intrusion detection signatures, Nessus audit files, or Project Basecamp exploit demos.
At Digital Bond Labs, we aim to provide the best in the business at breaking control systems software, security add-ons, and access control systems for both end-users and vendors. Our goal is simple: break all the things that make all the things so that we can rebuild them to be more robust and more secure. In the Digital Bond tradition, we will also continue to focus on valuable research to share with the ICS community.
We are working with Robert M. Lee and his publisher to get SCADA and Me in Japanese for a giveaway on OTDay of S4xJapan (agenda and registration open on Aug 4th). I wish I had the page above as a hidden slide to pull out at ICSJWG last month.
While most of my presentation involved the secure and insecure way to use the cloud in the future for analysis of process data, the most contentious point was on remote access. The easiest way to get into an ICS with a good security perimeter is to compromise an administrator, engineer or technician that has remote access to the ICS. The ICS Spear Phishing session at S4x13 showed how something as simple as a fake maintenance bulletin would have led to compromise of over 25% of the targeted users with remote access to the ICS.
Here’s the basic solution. Push the data out so the right people can view it without jeopardising the integrity and availability of the ICS. Have a physical disconnect for the remote access, and close the connection only in emergency situations following a defined process. Use your automation skills to put this capability on a display in the control room with the appropriate alarms and logging, and auto open after a time limit. If you are having multiple emergencies a week that require remote access your system is not under control or you are understaffed.
Someone in the audience, who actually is in the business of advising industry, pushed back hard at these limitations on remote access. Paraphrasing he said “c’mon we all know that this generation is going to demand and have remote access with a control and admin capability from their smart phone in their basement. What do you recommend to secure this?” This is when I needed the SCADA and Me page. “If you can control it from a phone — so can Bad People.”
Lior Frenkel of Waterfall said something after my session that I told him I’ll be stealing from now on. “You’re part of the critical infrastructure. Act like it!”
Give eWON some credit. They released information that their website was compromised for a short time in January, and issued an updated notice late last week on their home page. Still nothing on the MB Connect or Swiss vendor site to tell customers they may be compromised by Havex if they downloaded and ran their software. Companies are going to have security incidents; customers should be looking and considering how they respond.
Alstom Grid has a new product coming out in response to the PG&E substation shootings called e-terrasheriff. It will detect and report gunshots at unmanned substations, and presumedly integrate this into the e-terra SCADA displays.
DHS has opened the CFP for the ICSJWG Fall Meeting. After attending and speaking at the Spring Meeting I was going to pass on this one, but holding it in Idaho Falls will dampen attendance.
The first release of Automotive Grade Linux is out. “Each component includes a detailed Design Requirements Document (DRD) with descriptions, use cases, HMI flows, graphical assets, architecture diagrams and more.”
We have always appreciated the Swedish contingent that has supported S4 since the start. Now they have created their own event, 4SICS, Oct 22-23 in Stockholm. They are working on the agenda, but they already have some great technical ICS talent in Europe lined up. Lueders, Santamarta, Hjelmvik, …
DHS is looking for a lead and partners for their Critical Infrastructure Resilience Center of Excellence (CIRC). “Each COE is led by a U.S. college or university and has multiple partners. COE partners include other academic institutions, private industry, DHS components, DOE National Laboratories and other Federally-Funded Research and Development Centers (FFRDCs), other federal agencies that have homeland security-relevant missions, state/local/tribal governments, and first responder organizations.”
A Honeywell help wanted ad is illustrative of how ICS vendors are trying to generate revenue from cyber security. “This position will be responsible for leading, managing and growing the Honeywell Process Solutions (HPS) industrial cyber security global remote managed services business.”
IETF has an initial draft standard out for “Two Way Authentication for IoT“.
Michael Toecker recently has joined the ranks of Digital Bond alumni and is starting his own firm. Here is his farewall blog entry. Best of luck Mike and welcome to the world of being a small business owner.
A few others have known this for a while, but I’ve left Digital Bond to form a new engineering firm to focus on cyber security for electrical power systems.
The past two years at Digital Bond has been a fantastic experience. I’ve had the opportunity to conduct assessments of Critical Infrastructure that I hadn’t had a chance to see before, and work with operators on improving the security of their control systems.
While working at Digital Bond, everywhere we went, every critical infrastructure had one requirement in common: a reliable source of electric power. Without this basic resource, most critical infrastructure would not function, and would not provide benefit to society. So, I’m refocusing efforts on the security of electric power systems. The new company is called Context Industrial Security, and is focused on providing cyber security consulting and design within the context of the process being controlled, and is focused on the security of electric power systems and the unique characteristics that affect their vulnerability.
I’m grateful to Digital Bond and to Dale for giving this engineer a chance to work on the bleeding edge of industrial control system security, and to interact with security, process, and operations persons who are dedicated to the security of control systems. I will still tweet and blog, but it will be from the (in development) website of Context Industrial Security (www.context-is.com), and my personal twitter account (@mtoecker) for now.
I came a day early to South Florida this week to check out the newest official S4x15 hotel: the Surfcomber Hotel in South Beach.
Those still wanting large rooms and suites, luxury, quieter beach and close to the best malls and the Kovens Center can stay at the Trump International. This got high marks from attendees the last two years. To meet the request for a South Beach hotel we are making the Surfcomber Hotel the second official S4x15 hotel … and we got a great rate for attendees.
The Surfcomber is right in the middle of the South Beach action. It’s close to Lincoln Road, all the great art deco hotels and neon signs, restaurants of all types and price ranges, great people watching and bars and clubs.
Of course this location and activity means smaller rooms in an older (1948) hotel and noisier atmosphere. Kimpton bought and did a major update and refurbishment a couple of years ago, but it is a smaller art deco hotel in a party area of South Beach. So attendees will have a good choice between the Trump and Surfcomber.
The main reason I wanted to see the place was to go over ideas for the social event we will hold there on Thursday night out at the pool. The pool is somewhat famous for parties, and Daley Direction has some unique and fun ideas for the S4 / ICSage convergence event.
Bloomberg published more detail on the “UglyGorilla” attack on pipeline SCADA. It’s worth reading past some of the hyperbole in the article to learn what information was taken. “Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was their focus on supervisory control and data acquisition, or SCADA, systems in industrial computers that most concerned U.S. officials.” We have heard more detail on what was taken, and some of it would be very helpful in crafting an attack.
EnergySec/The Anfield Group has published the Agenda for their 10th Anniversary Summit, August 18-21 in Austin, Texas. Days 1 and 2 are training and workshops. Day 3 is a day primarily devoted to sponsor presentations. This is a bold move given the general revulsion to vendor presentations that have even a whiff of commercialism, but give them credit for being clear that they are sponsor presentations. Day 4 looks like the best day with a solid agenda.
The PHDays blog has more detail about the Critical Infrastructure Attack contest at PHDays 4. “Organizers added new SCADA systems (such as Siemens TIA Portal 13 Pro and Schneider Electric ClearSCADA 2014) and various OPC servers (Kepware KepServerEX, Honeywell Matrikon OPC). New HMI devices, the operator panel Siemens KTP 600, PLC (Siemens Simatic S7-300 and S7-1500)and remote control devices (ICP DAS PET-7067) were presented as well. Schneider Electric MiCOM C264 was provided by CROC.” Impressive.
The Kuwait Industrial Automation and Industrial Control System (KIACS) Cyber Security event graciously put videos of the sessions on YouTube. The production quality is first class. After watching a few sessions it appears to be an excellent event for those new to the field of ICS security.
Joe Weiss participated in the filming of a television show on ICS security. He took the camera crew out to a couple of transmission substation sites and found they were left alone while parked in an unmarked van and filming the substation. Expect this to generate some articles when the show is on air.
Image by ChrisinPlymouth
S4xJapan: October 14-15 in Toyko
I had a bit of fun in Tokyo last month creating a logo for S4xJapan. In Japan people use a hanko, an ink stamp, to sign documents ranging from Fedex or Black Cat delivery acknowledgment to important official documents. A hanko is designed around a person or company’s name, and each hanko is a bit different even if the name is the same.
The S4 logo we have used since 2007 always reminded me of a hanko. So I had a designer and hanko maker modify it a bit to add xJapan and make an image look like a hanko stamp. We actually made a hanko as well to stamp documents at S4xJapan.
The S4xJapan call for presentations is open until July 18th. The early response is encouraging and newsworthy, but we are still looking for great sessions in Japanese or English for OTDay and the main S4xJapan day. Send your proposed presentations topics and abstracts to email@example.com.
The event will be held in the auditorium of Academy Hills on the 49th floor of the Mori Building in Roppongi Hills. The location is ideal for Japanese, it is close to Roppongi station, and for foreign visitors, close to many hotels, restaurants, nightlife and places to see.
The auditorium lends itself to a technical event like S4xJapan. Every seat has power; quality Internet is free of charge; and when you are on break there is a nice view of Tokyo.
The auditorium is also set up for recording the event, and our plans are to record both OTDay and main event for future distribution in the hope of providing some of the best Japanese language ICS security content available to date.
There is much more to tell after the agenda is published and registration opens. We have a fun and unusual social event planned for Tuesday night, innovative and anonymous Q&A plans, and are working on some unique giveaways that will be appreciated by Japanese and foreign attendees.
The best way to guarantee your spot and get in free of charge is to submit a killer presentation abstract and speak at S4xJapan.