Reaction to BlackHat Federal SCADA Slides
First impression: apparently you had to “be there.” To me, only 19 slides on SCADA Security was sort of a let down. If you were looking for technical content (which I thought was the whole reason to go to Blackhat, apart from the gambling and drinking) you are better off checking out the SCADA Exposed talk at ToorCon last year.
Still, SCADA Security and Terrorism: We’re Not Crying Wolf! provides a competent (if somewhat simplistic) SCADA overview and highlights many of the security problems discussed in other industry forums over the past several years: enterprise connectivity, insecure wireless, weak protocols, patching difficulties, inadequate network documentation, etc. But any criticism aside, this was a bellwether event: SCADA goes to BlackHat! As an another researcher remarked, “this is further proof “the cat is out of the bag.”
This presentation has its share of FUD (I dislike the T-word, and think it should be used sparingly), but the analysis is solid and backed by the reputation of ISS X-Force. The same can not be said for the many of the more mainstream and lightweight articles on SCADA Security that have appeared to date. However, I’ve always found threat/vulnerability presentations to be more convincing if they include some discussion of countermeasures and potential workarounds. If you only saw this talk, you might conclude that asset owners, vendors, standards/industry organizations, and other members of the SCADA Security community are either clueless or sitting on their hands doing nothing. Some also may question the value of bringing this content to a mainstream audience (yes, I consider BlackHat mainstream!) but my only real beef with the presentation is in slides 10-11: their “Cyberterrorism Threat Analysis.”
The assessment of threat capabilities and intentions seems only to be based on the belief that the “knowledge required to bring down the power grid can be bought at a local book store,” that there are people out there that want to do us harm, and that “the majority” of downloads for an ISS SCADA whitepaper were from the Middle East.
We find the last point especially hard to believe, since our web logs (both on this web site my wiki) anecdotally indicate that government and military organizations, IT and control system vendors, asset owners, and consulting firms are more frequent visitors than mysterious ISP connections from far off places.
In fact, some of the more memorable google search queries (especially to my protocols page) over the years have come from intelligence community domains or contractors.
This point further demonstrates the need for better technical threat data, which we noted in our 2006 Blog, because intuition and PDF download counts off a vendor web site simply don’t cut it. They undermine an otherwise strong presentation and ultimately might make some conclude that the presenters themselves, were “crying wolf.”
CAVEAT: This blog is only based on the slides that showed up on the BlackHat site. I didn’t see actually see the presentation.
UPDATE: For what it is worth, I received an email from one of the ISS presenters who provided some more context. Apparently during the Q&A session, the presenters spent considerable energy convincing folks there was no need to panic. There may also be a later version of presentation out there.
NOTE: Since some folks have reported problems getting to the blackhat media site, a copy of the talk is available here. Find the “local copy” link.
Author: Matt Franz
Posted: January 27th, 2006 under Calculating Risk.
Comments: 7
Comments
Comment from Tim Anderson
Time: January 28, 2006, 12:30 am
I think the slides lack technical detail because of the weak state of control systems security today. It shows that because control systems typically are unpatched, lack authentication measures, and have weak boundary controls. Since the typical SCADA master is so simple to exploit, a hacker doesn’t have to know how exploit SCADA protocols to do serious damage. The presentation also highlights that the control system owner is typically clueless that any serious vulnerability exists.
Comment from Mark Grimes
Time: January 28, 2006, 6:08 am
Matt, I think your bedside manner was appropriate before the caveats/updates.
I’ll admit I’m tired of hearing the sky is falling and reading diaster stories — i’ll take interesting offensive or defensive attack scenarios, but I heard neither. Reality is this is a traditional IT security talk dressed up in a SCADA suit with all the appropriate scary buzzwords in place like power grid and nuclear reactor, etc.
I’ve seen 5 years of this so far in the IT Security sector. 5 years of the same presentation on SCADA vulnerabilities. no auth{n,z}, no encryption, fire, death, end of the world — i’m not sure being that I don’t work in the sector if Control Systems operators are going to watch “This is your life” or they are attending a train wreck, a 50 car pileup, and an airplane crash all at the same time. 
Either way it sounds like fun.
I’ll admit I had to calm down awhile before I could clearly write something I wanted preserved on my weblog.
My take on what little I see is here.
Comment from Dale Peterson
Time: January 28, 2006, 7:38 am
A few thoughts
- the slides did a good job of proving the point in the title
- our experience is the control system owner is not “typically clueless”. They bring ISS, Digital Bond or others in because they know they have a problem and need some help. They attend courses, note some of the SANS courses are sold out, for the same reason. We need to be careful that we do not overhype the current situation. Some asset owners have been working on this for years and would impress most security professionals with their program. For example, I would hope the security posture was improved at the asset owners that were used as examples after the assessment.
- Interesting that the presentation did not include any real SCADA knowledge in the attack scenarios. There are a lot of ramifications, pro and con, about this.
Comment from Matt Franz
Time: January 28, 2006, 10:56 am
For what it is worth, starting to be a few other blogs on the ISS Talk:
Comment from Richard Bejtlich
Time: January 28, 2006, 1:49 pm
Hi guys,
I saw you linked to my blog post. Robert Graham’s slides in the Black Hat book and CD were much shorter than his actual presentation, which you see I attended. Sure, there weren’t really any technical details. Instead, Robert Graham presented just how bad the SCADA world looks when seen through the eyes of his pen testing team. He presented a dozen case studies based on his ISS pen testing experiences, plus a few more details not listed in the published slides.
This was my first real exposure to SCADA issues and it scared the heck out of me. It’s like the .mil in 1996.
Great blog, by the way!
Comment from Mark Grimes
Time: January 28, 2006, 3:44 pm
The reality Richard is as Dale said and I started to post on my weblog but retracted it… These vulnerabilities are not necessarily due to the ‘cluelessness’ of Control Systems operators. A lot of these vulnerabilities are ramifications of political issues in an organization, where important people need access from the IT side, or the line is drawn so hard in the sand (sneakernet) that backend rogue connections are made to make one’s job easier. I know this from speaking to several industry people after my Toorcon talk. There is plenty of competence out there, but a lot of it is hands being tied by non-technical factors.
This doesn’t excuse the vulnerabilities. There should be no way someone gets to a reactor from the outisde — internal pentests are a little more understood from the hard crunchy shell and soft chewy center that nearly all organizations represent. However, it’s what your capabilities are in the LAST MILE that matter. I think the picking a book up at your local bookstore to own a power grid is a gross overexaggeration, because most of the world would not have any capability once they actually arrived at the SCADA network. THIS is the topic that is of the most scrutiny as it is built up from proprietary and non-proprietary protocols where device control is contingent on fast and accurate which is diametricallly opposed to security/encryption. We are seeing that change. This is great, but I know there are a lot more attack metrics due to the amount of complexity some of these protocols provide… self-propagating metrics in some cases… but I don’t mind to end this comment on a vague note. There is just a lot more to explore then what was offered. *Everyone* (both IT and SCADA industry) already knows how bad security is in the Critical Infrastructure. Anyone that hasn’t just hasn’t seen a SCADA talk in the last 5 years… that’s all. Therefore the talk is another notch on the bedpost from a credible source, but the end result is no news.
I’m beginning to believe that demo and extra content aside that I would still be saying the above statement.
Comment from Matt Franz
Time: February 1, 2006, 4:51 pm
For what it is worth, I updated the link in original blog with the new URL. The new slide-deck (and what was actually presented) is certainly more complete, but I have to agree with Mark’s last post.
Write a comment