Friday News & Notes

ICS Security NewsThe court battle between Battelle/INL and Corey Thuen at Southfork Security is over. The settlement agreement gives Battelle all rights to Thuen’s Visdom product. While the case hinged on whether Visdom was a copy of Sophia and the Thuen employment agreement, the courts reaction to “you called yourself a hacker so you will break the law argument” and the lame national security impact contention were what made it worth watching. Now clear of entanglements with INL, Theun could start over and build a similar product, but neither Sophia or Visdom were hardly novel or even competitive with more full featured solutions.

Microsoft introduced a new version of their free threat modeling tool. We used their old tool in consulting projects, and look forward to trying out and writing about the new version. One immediate plus is it no longer requires Visio. Microsoft has included a drawing tool in the package.

Bloomberg reported “Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption”. We will be seeing this in slide decks.

WOW! NYISO unveiled their new $38M control center with a 2300 square foot video wall. There are a wide range of opinions on what makes a useful control room, but this one will certainly make an impression on visitors.

Wireshark added another ICS protocol dissector … Landis & Gyr (Telegyr) 8979.

And we probably need to put a note in about Heartbleed. There have been a few ICS-CERT advisories on the issue. Asset owners should look at SSL remote access to the ICS and SSL to security perimeter devices for management. Pre-Heartbleed, remote access to ICS should have been physically disconnected except for when emergency support is required.

Image by ChrisinPlymouth

S4x14 Video: Poor API’s Lead To Integrator Provided Vulns

Rotem Bar of Limpox Advanced Solutions closed out S4x14 with a look at how integrators can introduce vulnerabilities into an ICS. This point was actually brought out as well by Sistrunk and Crain with the DNP3 vulns. In that case the TMW master station was not vulnerable to the Project Robus attack methods, but some vendors who had implemented the TMW stack in their master station fell over when fuzzed.

Rotem looks at an example API, from GE Cimplicity, and finds a lack of validation, control and unnecessary features. He then proposes an architecture to resolve many of these issues.

  • Critical Intelligence

Friday News & Notes

f15The Crain/Sistrunk disclosed vulnerabilities from fuzzing of master stations have all been related to DNP3 protocol stacks … until today. ICS-CERT announced the first Modbus protocol stack vulnerability from Project Robus. Welcome to the party Modbus.

We normally don’t bother commenting on ICS-CERT alerts or advisories, but since we broke that rule already … the latest advisory update on an Allen Bradley denial of service vuln is another reminder that vulns and patching matter little in this insecure by design world. Why worry about a vuln that can cause a denial of service when an adversary can send a legitimate EtherNet/IP Stop CPU command?

Siemens and McAfee announced they “are extending their partnership to enhance the security offerings for industrial customers to protect against rapidly evolving global cyber threats.” Hard to tell if this is marketing fodder or more. The ICS vendors are choosing partners to work with for application white listing, security monitoring and other solutions. Symantec and McAfee being the major players along with the newest Lockheed/Industrial Defender combo.

Innominate’s mGuard was one of the first industrial field firewalls. At Hannover Messe this week they announced support for OPC. The “OPC Inspector masters the complex connection tracking of OPC dialogues across their changing ports and connection directions, thus enabling an effective control and filtering of OPC based on the stateful inspection firewall principle”. They sell a virtual machine software version in addition to the physical, industrial rated module.

S4x14 Video: Are Risk Based Approaches Bound to Fail?

The Great Debate topic for S4x14 was:

Are Risk Based Approaches Bound to Fail in Securing Critical Infrastructure ICS?

The idea for the topic was a Bound to Fail paper by Ralph Langner and Perry Pederson for the Brookings Institution. We had Jim Gilsinn of Kenexis and Marc Blackmeer of Cisco arguing that risk based approaches are helpful and necessary. Zach Tudor of SRI and Mike Ahmadi of Codenomicon making the case that risk based approaches are bound to fail.

After the four of them argue the issue for 25 minutes it is thrown out to the audience for the remaining 25 minutes. You will see the S4 attendees are not shy about giving their opinion and mixing it up.

Friday News & Notes

Friday SCADA Security News and NotesHave a great research idea for “Automatic Detection and Patching of Embedded Systems”? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant to the item. FYI, this SBIR was what initially funded our SCADA IDS signatures and preprocessors that are now integrated into most commercial IDS.

SANS announced they will be teaching their new week-long ICS 410 ICS/SCADA Security Essentials class in Tokyo, Nov 10-14. The course will be taught in English and simultaneously translated into Japanese.

Critical Intelligence released there annual ICS Security Trends and Analysis Report, for purchase. The analysis of the quality and quantity of the new ICS vulnerabilities is the sizzle, but the most useful information is on new attack and defense techniques, threats and information that will help your detection efforts.

The National Institute of Building Sciences announced two workshops, for a fee. “The Introduction to Cybersecuring Building Control Systems Workshop and theAdvanced Cybersecuring Building Control Systems Workshop are both built around” the new Cybersecurity Framework. BYOBACnet script.

Image by TooFarNorth

S4x14 Session: You Name It; We Analyze It

Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.

S4x14 Session: At Least Pretend You Care

UPDATE – The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean.

Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.

If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.

I have some hope that the vendors will learn and get better. I have little hope that ICS-CERT will improve because they have yet to admit they are lacking. The ICS industry doesn’t help by praising the fact that they are putting out so many more Alerts and Advisories than in years past. They could let US-CERT or CERT/CC handle at least 95% of these and truly use their ICS expertise to dive deep in the 5% that matter.

Friday News & Notes

SCADA Security FridaySome of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC. Others are encouraged to join and come along, but it’s the founding partners’ game. Expect Siemens and a couple of GE’s other big competitors to do something similar if they have not already. BTW, there is a Security Working Committee in the IIC.

Joe Weiss, who I like to call the Paul Revere of the ICS world, cancelled WeissCon 2014 due to his consulting workload. Joe’s event was the first ICSsec event and drew a good crowd of asset owners. I had heard good things about the last two WeissCon, a bit of revival, so I’m sure this will disappoint many. Joe says it will be back in 2015.

We submitted our BACnet-discover-enumerate.nse for inclusion in Nmap so you wouldn’t need to download and install our script separately. Some minor code changes were required and are in process to meet the Nmap style and format. We will let you know when it happens.

Thomas Brandstetter was the face of Siemens CERT, most famously at BlackHat during the Beresford vulns. About a year ago he left Siemens and founded Limes Security in Austria. You can add Limes Security to the list of ICSsec training options. They have European-based courses for Managers, Engineers and more technical security courses for those who want to assess DCS and SCADA systems.

Even more ICSsec training … Cimation has opened CimationUniversity.com to provide online training courses. There are four courses ranging in price from $300 – 1,500.

ICS security events in Latin America are still rare, so take note of the CFP for the 1st SCADA Security Conference LATAM in Rio de Janeiro, Nov 5-7. The web site is available in English and Portuguese.

The US Government Accountability Office (GAO) issued a report entitled: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach. The first bullet in the summary is humorous and sad. GAO points out that they identified information sharing as key in 2003 and problems with DHS information sharing in 2010. And they continue to beat that information sharing drum again. I can’t take US Government information sharing seriously until they say out loud and repeatedly critical infrastructure ICS applications, devices and protocols are insecure by design and need to be upgraded or replaced now. Most of what ICS-CERT/DHS shares is noise to show they are doing something.

Security consulting firms take not that Trustwave was included in a lawsuit related to the Target breach. “Trustwave scanned Target’s computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target’s computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.”

Image TooFarNorth

Friday News & Notes

4922068101_f0c27d8894Dragos Security founders Matt Luallen and Robert Lee announced their first product: CyberLens.  CyberLens enables the passive discovery and identification of cyber assets on a network. I asked and Robert answered in a twitter discussion what makes CyberLens different than Tenable’s PVS and other solutions. The challenge products like Sophia and CyberLens have is: are the ICS intelligence advantages enough to warrant selecting a less complete, proven, likely to survive solution?

On a related note, the kerfuffle between Corey Thuen (Southfork Security) and INL on Sophia must have eased a bit as Corey is the guest presenter at the ICSJWG Webinar I Think, Therefore I Fuzz on March 27th. I couldn’t find a registration link on the ICSJWG site.

The Full Disclosure List was closed this week. A number of ICS vulnerabilities were first disclosed on this list, much to the dismay of many in the ICS community.

Continuing on disclosure, Jake Brodsky over on SCADASEC tells a story of finding a “wide open” FTP server at “a small controls firm that does ICS application software programming”. “It had correspondence regarding various ongoing projects with utility plant upgrades. It had application programs. It had drawings. It had spreadsheets of I/O maps and descriptions.” So they called DHS, who called the firm, and now there is a password on the FTP server. I’m sure loyal readers know that this is not enough. My question … has the firm notified their customers that sensitive data was Internet exposed for years? If not are Jake, DHS and the firm practicing “responsible” or even “coordinated” disclosure. Don’t answer that; it was to prove a point. Those words have always been subjective and ring hollow to me. And this is more evidence that disclosure is not worth the discussion because whoever finds the vuln will do what they choose to do.

The Japanese government recently held a cyber exercise. According to the JapanToday, “Some 50 cyber-defense specialists gathered at an emergency response center in Tokyo, with at least three times that many offsite, to defend against a simulated attack across 21 state ministries and agencies and 10 industry association.”

NERC issued the report on the GridEx II that occurred last December. Sit down off the record and over a beer with participants and you likely will get a different view of the events.

S4x14 Video: Defending “Known Vulnerable” ICS

Monzy Merza of Splunk had a S4x14 defensive session. Working with an actual, deployed Building Management System (BMS), Monzy wrote python scripts to export the data from the BMS to Splunk for analysis. He focused solely on what could be detected from info logged by the BMS.

The BMS was known vulnerable in the general sense that BACnet is an insecure protocol and specific sense in that Rios/McCorkle had found vulnerabilities in the Tridium Niagara AX.

Once the data was in Splunk, Monzy showed examples of how anomalies that could be cyber attacks could be detected in the data. The examples are specific to a BMS and should provide hints to anyone looking for attack detection in an ICS.