I3P Day
The I3P held an all day event highlighting some of the work from their 2 year, $8.5M project. I missed the morning session due to PCSRF / Field Device Protection Profile (blog on this later). I did get to attend two sessions in the afternoon:
Security Monitoring for PCS Networks
Three organizations presented and demonstrated their products.
Sandia has a product called SLAP (Secure Linux Appliance). It is a Swiss army knife of Linux security products on embedded Linux. Some effort was made to make the product reliable and easy to deploy in a field environment, such as no hard drive or moving parts and bridging so IP addresses do not need to be modified. Management and key management will be key for all but the smallest deployments.
SRI demonstrated their Emerald IDS with a number of signatures including Digital Bond’s SCADA signatures (thanks to SRI for giving us a credit). They also had a Mission Based Correlation (MCORR) product that was very interesting. It considered asset priority, vulnerabilities and two other factors in correlation and decision efforts. I’m looking forward to reading a paper on MCORR.
University of Tulsa demonstrated a few Modbus tools they built from scratch. A passive Modbus tool detected attacks very similar to the Modbus Snort signatures. Nice work but not a big advancement; it might be more useful as a platform for future work since they have full control of the code.
I found the active tool that would identify active Modbus function codes and walk through the coils and registers to determine what was in use. We could use this tool for some of our research projects and assessments.
Which leads to a question. What if any of these products and tools will be available to the community? Are these products going to be open source or made freely available through some other mechanism? Are they going to be spun off as commercial products? Are they going to remain as lab tools used for future reseach?
Designing Secure PCS’s
Some folks at MIT Lincoln Labs presented a tool called DEADBOLT has been developed to detect buffer overflows in C and C++ code. This tool is used at the implementation and test phases. The code is transformed to a program that tests all pointers (if I got this right) for buffer overflows. There is something about sample inputs that seems important to the success level and avoiding false negatives. The transformed code is run and the buffer overflows are displayed in a report. Nice reporting of what caused the overflow and where it occurred. I wish Matt were here to ask some intelligent questions.
DEADBOLT may eventually be spun out to a commercial company and made available for sale. DEADBOLT is working with Emerson for testing this tool.
The next product is the High Security Master Terminal Unit (HSMTU) from University of Illinois (Go Illini). The demo envisioned the HSMTU as an HMI in this secure “box”. Example was it prevented an attacker that compromised the HMI from making any changes, actually it just reverses unauthorized changes which isn’t quite as nice. Think of it as a security wrapper. This would have probably be sold as add on technology to a control system application. I’m skeptical about any practical use of this, but it is research.
Last is the Access Policy Tool (APT) from PNNL. Specifies rules for an entire network at a higher level than an individual firewall or HIDS. The rules from all security devices are sent to the APT and those individual box rules are checked against the high level rules in the APT. It would be another check that the configuration on multiple products implements the desired security. Interesting research, but not much of a market for this in my opinion.
Author: Dale Peterson
Posted: June 8th, 2006 under I3P.
Comments: none
Write a comment