So last time I blogged about the first day with the intermediate class put on by INL (SANS). The next two days were alittle different than other security conferences I’ve attended. The first day consisted of about 50 people in each intro or intermediate class and the second, by the looks had about 200+.

The first few talks were interesting, there seemed to be a lot of NDA’s or security clearances cutting off the “nitty-gritty”.

Aaron Turner recently joined INL from Microsoft, he provided some information about Microsoft’s security and how they protect their source code. A question was asked about the high cost for vendors getting common criteria certifications on their products. Aaron brought up a good point by asking “Is common criteria even the right approach?”.

Jason Larsen gave a speech, it seemed very informative and had a lot of technical information. He made some comments about “a researcher disclosing vulnerabilities” and had a link to the Digital Bond blog. I won’t run that into that ground as Dale already covered it. He also discussed where he found some hackers (on IRC) discussing exploits being coded that worked on attacking RTU’s.

On the second day an operator from a utility admitted to a open investigation with the FBI. They kept a lot of the information private however filling in the middle was pretty easy. The operator discussed how his co-worker (also an operator) came in on the weekend to check things out and just minimized the hackers windows. The following Monday the operator (speaker) came in saw the madness and immediately called the state police. Amazing, I wish I knew how the attack happened so that the same problem could be prevented at other utilities. It takes a lot for anyone to go up in front of utilities, asset owners, vendors, and research/consultants and tell the tales of how you were compromised.

Another interesting speech was given on a firewall and network traffic flow which resembled somewhat of the Bell-LaPadula model. Only information from higher security levels could flow down, etc. I’m not sure on the effectiveness, but it seems the fw rule management might be somewhat of a nightmare. You would definately need to audit/review your fw rules often to keep everything “up to par”.

Ciaran Osborn from NISCC gave an informative speech on, SCSIE. SCSIE is a group made up of UK-based Energy, Transport and Water companies and NISCC folks that discuss the ways to monitor and protect their SCADA systems. They meet frequently to discuss new technological approachs and share information regarding attacks or compromises. Ciaran mentioned how a lot of their future approachs and research are done with data obtained from methods such as SCADA Honeynets analyzed by Digital Bond.

Overall I really enjoyed the conference, I met a lot of great people and we all collaborated on different solutions and problems.