More talk about vulnerability disclosure, an issue near and dear to our heart as we push the first control system vulnerability through US-CERT. This is going to be a big issue the next two years as it has been in IT for quite a while.

Sensing a trend in day 2 - Common Procurement Security Requirements seems to be the idea that is generating some excitement. Mentioned by two panel member, a well known passion of Alan’s, and now a bonus presentation from Will Pelgrin who is a leader in the Secure Procurement Project. Could be helpful if the perfect does not get in the way of the good.

Security Vendor Panel 1

Up first is Sam Silverberg with Symantec. I always applaud Symantec’s involvement in the community, much more than most of their competitors, but sometimes they overplay how their products are customized for control systems. Interested to see if this has been addresed.

Sam’s talking about Incident Correlation which is what we are trying to foster in the PCSF SEM Interest Group. Symantec is an active participating member. This seems to be pushed up in their strategy a bit.

Perimeter security information and good practices, tieing back to SEM. This presentation didn’t over reach.

Lori Dustin, Verano and Jonathan Pollet, PlantData are next. Interesting since Verano bought PlantData after the program was set. Not mentioned by Alan, Lori or Jonathan?

Interesting . . . Lori said Verano was a little bit early to market and has spent a lot of time educating the market. Giving examples of what their SCADA SEM identifies, new files and file modification,f new sockets or processes (trojans?), process termination, rogue device, NIDS, and CPU/RAM/Disc usage.

Jonathan’s up. Perimeter security is not enough. Emphasizing securing the PLC/field device more than most. Jonathan - Bridge firewall is more appropriate than routing firewall at the field sites. No need to change addresses, better performance. Obviously this all ties into the Patriot SCADA product, called a sub $1000 product. The market for this is still unknown, there were not a lot of bites at the $500 price point. Still early. Centralized management is going to be critical if 100’s of units are deployed.

Q&A - Verano strategic partnership with Counterpane MSSP mentioned. Symantec does MSSP as well and BP is a customer.

How do security vendors get their products blessed on control vendor products? Some asset owners will not deploy if it is not. Interesting candid answer from Lori - the response from vendors has varied greatly with some detail. Verano feels confident the impact of their agents is minor, less than 1% of CPU. Alan is much tougher on security vendors. Questions still going, but I’m on a break…

Security Vendor 2

Ok, I’m back. I missed Jonathan Bingham (Intrusic), Darrin Miller (Cisco) and David Whitehead (SEL) presentations. Tom Good(Dupont) is up at the panel as well. They are just starting Q&A.

Management question on the SEL encryptors. Answer was a little bit squishy. Keys are manually loaded and updated, working on a central management system. Management is via IP/Ethernet port for this serial encryptor?

Darrin must have talked about host IPS, sorry I missed that. Host IPS for SCADA is potentially a very effective last line of defense, but the potential negative impact has prevented most serious consideration in the control system environment.

Afternoon

Clarification from the liveblogging, nothing new does not equal bad. Overall the presentations are high quality. The nothing new statements in the blog means you would have heard this before at other industry events.

Common Vulnerabilities Panel

Rita Wells (INL) is talking about common findings from the lab assessments. Some examples:
- enumeration of accounts and passwords
- possible replay attack
- reverse engineering protocols, this seems to a passion within INL
- default accounts, hardcoded accounts/passwords, weak passwords, no or weak authentication, unnecessary services, missing patches (just like IT)
- coding practices such as unchecked data streams
- no outbound filtering on perimeter security, only least privilege from untrusted to trusted, not vice versa

Interesting- - Rita included numbers of systems tested that had the vulnerabilities listed above. The results are not pretty, but important to note that the vendors had purportedly fixed a lot of these issues.

Mark Heard (Eastman Chemical) is talking about the difference in metrics the control system cares about and typical IT metrics. Do we have the right metrics? Tough to summarize this, but it is thought provoking. Think of security dashboards or displays. Control systems live with and monitor displays all the time.

Rene Bourassa (Hydro-Quebec) completes this panel with another example of an asset owner that has successfully deployed a best practice, particularly around security zones. Changes firewall rules based on alert mode. The various rulesets are predefined and ready to go.

Write a comment

Name:

E-mail:

Website:

Your comment: