Just one interview on the October 2011 Edition of This Month In Control System Security, but it is one of my favorites in the series and a must listen. Terry McCorkle and Billy Rios recently presented “100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software. In fact they found 665 bugs, 75 of which were easily exploitable, in 76 HMI and other ICS software applications that were freely downloadable from the Internet. They handed them all over to ICS-CERT, and the results are trickling out with advisories and patches already for Iconics, Siemens, Rockwell Automation and others.
The Derbycon presentation spent a lot of time on what ICS is and why it is important. Loyal readers and listeners here already know this. So this podcast focuses on the security vulnerabilities, how they were found, how long it took, what tools were used, some common findings and how these vulns could be extrapolated in an attack.
Two areas we talk about in detail are vulns identified through file format fuzzing and ActiveX vulns. These are two areas that don’t get much attention but seem to be fruitful ground for an attacker. The file format fuzzing is highly interesting because the community to date has focused on protocol stack fuzzing including certifications like Achilles and ISASecure. We need to ramp up the efforts for vendors to add file format fuzzing to their SDL, although I know of two vendors that have been doing a lot of this testing in QA.
Mike is well known in the ICS security space from his time at INL and most recently as the CSO of NERC. He left that behind, and many other potential opportunities, to found NBISE and focus on workforce development. We begin by talking about why he is passionate about solving this challenge, and the high level team that is supporting NBISE.
Mike gives some great examples and lessons on how people learn and how to measure skills, especially in technical fields. He talks about some of the early projects NBISE is working on including smart grid job performance models.
I have the opportunity to read the Critical Intelligence Quarterly Reports and pull some gems out for discussion in the podcast. These actually are some of the smaller parts of the report, but they are some items you may not have heard about.
PG&E’s Security Intelligence Team
Lockheed Martin’s Palisade product for security intelligence in energy sector
ICS modules in popular security exploit frameworks with emphasis on GLEG
Analysis of White House proposal’s potential for success in changing owner/operator behavior
In an earlier twitter discussion on Siemens, Joel advocated the use of NAC as a significant step forward in securing ICS. We have not yet seen NAC in ICS, and NAC has had a rocky road in IT security. So I was curious to get Joel’s view on why and where an owner/operator should consider NAC.
It ends up being a bit of a debate, friendly of course, with the closest thing to an agreement is that NAC may be best applied to a switch in a DMZ. I encouraged Joel to report back when he has some real world case studies of NAC in ICS.
I actually believe we don’t have enough debate or frank discussions in the community. It is refreshing to see Joel take a different tack and defend it. After all, this is the same community that thought technical security controls like anti-virus and firewalls could never work in ICS.
Patrick and the EnergySec crew have been attending a huge number of events lately as part of their outreach effort. Patrick and I talk about the top three items getting attention (I found #3: Detection to be the most interesting), surprises at the events, what vendors are asking for, and the EnergySec annual conference.
During the event Eric Byres and Joel Langill reported very positively on twitter, but they were, along with all users who attended the event, then whipsawed by the serious vulnerabilities disclosed immediately after the event.
With all this as background, I have a candid conservation with Eric about the positives and negatives from the Summit, his role and impact on the event, and what he will do differently at future User Group events.
Interview 2: Ralph Langner, CEO of Langner Communication on His Upcoming ICS Security Book
Ralph Langner stopped by Utah on his well deserved vacation after a crazy year of Stuxnet and writing a book. After a hike in the beautiful Uinta mountains I got him to talk a bit about his new book.
It takes a major effort to track all the twists and turns in the future of NERC CIP standards. The best resource we have seen to keep up to date is the Open Letters put out by Rick and others on his [in]Security Culture Blog. They are available free of charge, put registration is required.
I talk with Rick about Version 4, Version 5, CIP-10, CIP-11, Bright Lines, High Impact BES and more. There are no guarantees his crystal ball is accurate, but it will give you a likely outcome and the major factors affecting decisions about the future shape of the NERC CIP standards.
The April edition of This Month In Control System Security focuses on what new security technologies are likely to have a big impact on DCS and SCADA systems. By new security technologies, we mean technologies that have not been widely deployed or even considered in ICS in previous years.
This month we bring back the popular panel format. It was a challenge finding two knowledgeable and candid people who were allowed to speak freely and not tied to a specific security product. Fortunately we found two. In the podcast I’m joined by:
Jonathan Pollet, Founder and Principal Consultant with Red Tiger Security
We each pick a security technology, discuss why we think this will or will not catch on, and then are forced into a hard number prediction. Here are some consensus examples:
75% of the ICS vendors will offer a whitelisting / HIPS option in two years
5 % to 10% of the critical infrastructure ICS will have a one-way data diode type product deployed in two years. This is likely to be concentrated in a couple of sectors, such as nuclear.
Somewhere between 33% and 50% of the owner/operators will be allowing mobile device access to control system data in two years.
We recently announced our partnership with Critical Intelligence, and you have seen their contribution to the Friday News and Notes blog entries. Another element of our partnership is a podcast on Critical Intelligence’s ICS Security Trends and Analysis Quarterly Report. In this first edition of that podcast I talk with Sean McBride about the Q1 2011 report.
Getting into the report we talk about ICS vulnerability trends and expectations for the future. There is an exponential growth curve that eerily matches the quarterly disclosures to date in the National Vulnerability Database (NVD). Critical Intelligence is tracking ~150 vulnerabilities, half of which are in the NVD.
Next we get into NESCO and the other organizations trying to stake out a claim as a player in the electric sector. What is NESCO trying to accomplish, likely to accomplish and how will they measure success?
March definitely went out like a lion with all the 0day ICS security vulnerabilities. SCADA IDS is a compensating control until security patches area available.
We start the March This Month In Control System Security podcast with Matthew Jonkman and Daniel Clemens of Emerging Threats Pro. There were two big announcements yesterday regarding our Quickdraw SCADA IDS, and I discuss those with Matt and Daniel. Matt goes into detail on their support for a broad range of Snort versions and the new, open source Suricata IDS. Daniel talks about what he found in plowing Luigi’s exploit code to write the new vulnerability signatures.
I give a brief overview of the new Portaledge CIP-5 Monitoring Module / Firewall Monitoring Module for the PI Server.
And we finish up with Matt Franz and Gerald Gallagher of SAIC on securing Dept of Defense Smart Grid Projects. We get into some DoD standards such as DIACAP and STIGS, but more importantly how they used security compliance requirements to design security into the solution rather than focus on checkbox style compliance. Here are three documents they recommend for more information:
DoDI 8510.01, DoD Information Assurance Certification and Accreditation Process (DIACAP)
DoD 8500.01E, DoD Directive, Information Assurance
DoDI 8500.2, DoD Instruction, Information Assurance Implementation
The February 2011 Edition of This Month In Control System Security is out.
In this podcast I talk with Jeff Potter of Emerson Process Systems about the security in WirelessHART / IEC 62591. In the US ICS security community this standard seems to take a backseat to the ISA 100 wireless LAN specifications, but this is a mistake. WirelessHART has been out for a few years now with a significant installed base. It is a completed standard, and it has been blessed as an IEC and European standard. ISA 100 may get there eventually, but it can’t say any of that yet.
So Jeff gives us a primer on this important topic on WirelessHART / IEC 62591 / EN 62591 cyber security. Here and here are links to WirelessHART security papers from Emerson Process Management.
Next I provide a brief overview of the important content upgrades in the digitalbond.com website. This includes our partnership with Critical Intelligence and the move to a free subscription model.
We kick off the January Edition of This Month In Control System Security Podcast with a brief year in review titled “Oh Crap” – – to keep it PG. Last year was an eye opener in many ways. Of course Stuxnet, but much more than just that.
Next I talk with Eric Byres, founder of Byres Security, for about ten minutes on the new version of Tofino for Honeywell safety systems. This is an interesting tool to control the control system / safety system interface. Very limited in what gets through to the safety system, basically just Modbus TCP reads. It is also a zero config device which is very attractive for the ICS space.
The certification consists of a communication robustness test / protocol stack testing like Achilles, functional security assessment on product security features, and a security development lifecycle assessment. The first two are rather straightforward, but the third is harder to audit consistently and has legacy product issues that we discuss in the podcast.
Just one interview on the October 2011 Edition of This Month In Control System Security, but it is one of my favorites in the series and a must listen. Terry McCorkle and Billy Rios recently presented “100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software. In fact they found 665 bugs, 75 of which were easily exploitable, in 76 HMI and other ICS software applications that were freely downloadable from the Internet. They handed them all over to ICS-CERT, and the results are trickling out with advisories and patches already for Iconics, Siemens, Rockwell Automation and others.
We barely squeezed the August edition of This Month In Control System Security in before months end. Two interviews in this edition.
