Morning Keynote Panel

The SANS Security summit kicked off bright and early with about 200 people in attendence at Tom Donahue, CIA’s keynote. Interesting comment paraphrased, not clear that terrorists are interested in cyber attacks on critical infrastructure because they don’t have the dramatic display that impresses the terrorists constituency. Terrorists have focused more on dramatic physical events on iconic physical images and prominent people. This could change, “at some point someone is going to do something”. Do you have a plan to reconstitute (recover).

I’d call Tom a skeptic on the cyber terrorist threat to the critical infrastructure.

Next up is Jason Stamp of Sandia. “Security is 5-10 years behind typical IT systems. Same (security) mistakes as IT, only years later.” My comment - we have seen emerging countries leapfrog technologies in areas like mobile networks and communications infrastructure, moving from far behind to far ahead. Is this possible in some areas of control systems? Not a lot new here, but a nice overview of the state of control system security.

Final keynote panelist is Jason Larsen, INL. Jason leads the INL team that performs security assessment on vendor control systems. “Script kiddie is not going to be able to understand or control your system. Just going to click around.” Agree but I think this is missing the point that script kiddies may intentionally or inadvertently bring a critical system down.

“Professional hackers prefer to modify vendor’s software or patches in route.” Anti-virus used as a means to distribute attacks. Fairly provocative presentation by Mr. Larsen.

The audience has grown to 300+. About 50% of the audience is from the power industry.

The format of this event is shorter presentations followed by questions that must by written audience questions read by the moderator.

Tom, CIA, says HIPAA, SOX had the biggest impact on improving corporate security, and same would occur if Congress passed a law for SCADA. One thing that should be in the law is “isolation” of these networks. Audience is against Congress getting involved.

Interesting Question: Score security posture 1 to 10. James Stamp: Finance 7, SCADA Oil and Gas 5, SCADA Electric quite a bit lower than oil and gas, SCADA Water less than electric

Next up is Alan Paller, SANS on the Three Faces of Cybercrime.

I glanced through the presentation. Lots of clippings on cybercrime incidents. Skipping this one.

Technology Panel 1: Testing the Security of Industrial Control Systems

Rita Wells, INL – Like doing in house (at the lab) assessments vs. on-site assessments because in house does not affect a production system. 10 assessments done to date. This jibes with what I hear in the community. There is a lot of demand for INL to test vendor systems at the lab.

Eric Byres, BCIT – Ping sweep on a robotic arm, arm swung around 9’. Eric talked about Project Achilles that tests PLC’s for vulnerabilities.

Ray Parks, Sandia – His proposal: the community needs to develop a testing program structure. Today it is first through the door gets tested. Ray sees three categories, Technology, Protocol and Infrastructure and recommends a triage program. We should be testing the high impact systems first, not the first through the door. Wafer Fab lost 4 hours of production and a batch due to a scan.

Q&A – Eric Byres, “It would be cool if vendors would say these are acceptable tools (scanning) on our systems”. Alan Paller, “Gartner Group recommends buyers put in a RFP requirement to provide scanning results in the proposal”. Interesting. This ties in with the need for some good procurement language in patching, anti-virus.

Rita – Vendors determine whether the results of the assessment are shared with any affected asset owners.

Eric – we would bankrupt the vendors and the end users if we required them to retrofit all the systems to fix vulnerabilities. Huge problem. New systems are a more tractable problem.

Ray – Sandia is working on a NERC CIP compliance course. Alpha version of the course in a few weeks. Rita – NERC has reviewed the INL courses and ‘approved’ them. This does not mean you are NERC CIP certified.

Technology Panel 2: Building Blocks of Security on Control Systems

Came in late to this one. This is a vendor panel with Honeywell, Invensys and Emerson. All three combined in a single presentation. A lot of basics in this presentation. DMZ, anti-virus, Disaster Recovery, Security Policy … Not bad, just basic.

Honeywell, “It’s our responsibility to tell you what should go through the firewall”.
All three vendors say they test and certify patches within seven days. BP (the moderator) won’t buy a product unless they certify anti-virus, test with Achilles or other systems and commit to testing patches within xx days. Recommends other asset owners levy more security requirements on their prospective vendors.

Honeywell and other say they have a hardened Windows config. I’d like to see these and compare to the Center for Internet Security recommendations.

Technology Panel 3: The Asset Owners

Exxon Mobil, Southern Company, and PJM presented key points on the security program. Again there was little new here, but they are dramatic examples that securing control systems can be accomplished. Too often we hear about problems, these are success stories.

A couple of things caught my attention. Exxon Mobil is planning to deploy firewalls between the control center and the PLC’s. This has been a hot button of mine as Ethernet ports with IP connectivity to the control center are increasing available in unmanned field sites. Exxon Mobil also has a standard, hardened config for Windows in the process control environment.

Southern Company breaks their efforts into three categories: Assessments, Hardening and Compliance.

The presenter from PJM had a good pitch on not overclassifying systems as critical, especially in the NERC context. Consider what would happen if the system is not available.

Technology Panel 5: The Government

I’ m losing steam as the day gets long. So the length of the blog is not a reflection of the presentations. Hank Kenchington (DoE), Hun Kim (DHS), Karl Williams (NISCC), Will Pelgrin (State of NY) and a rep from NY Power Authority finished the last panel.

Hank said the labs will have tested systems from Areva, ABB, GE and Siemens by the end of the year. Good news is the testing has resulted in some security patches and therefore more secure systems. Also, as Matt noted earlier, the DoE roadmap is available at www.controlsystemsroadmap.net .

The State of NY is leading an effort to define security language for control system procurement. A number of entities, including DHS, are contributing to this effort.

Hun and Karl gave an overview of the efforts in their respective organizations.

Achilles

Finally, I got to see a demo of BCIT’s Achilles program. As always, BCIT had a unique spin on this unveiling. They are looking to spin this product off to a commercial entity and led a session to critically review the product from an asset owner and control system vendor perspective.

Achilles has a lot of features and options. Hard to give a detailed review without a serious test drive. It looks highly interesting, especially the grammer/fuzzing tools.

Long day and I cut out a bit early at 7:30PM.