2006 Top Ten SCADA Security List
Here is my view of the big events and items in 2006. I have excluded any Digital Bond items because it would be hard to be objective in those rankings. On Wednesday, I’ll blog on Digital Bond’s Top Ten from 2006.
10. Cyberstorm
DHS led this government and industry simulation of a cyber attack that included elements of SCADA protocol attack that spread throughout the critical infrastructure. This event did not generate a lot of buzz, and the details are no longer on the DHS site, but it was very useful to raise awareness and exercise some processes.
9. SCADA Fuzzers
Mu Security and Wurldtech developed commercial products and services that fuzzed SCADA protocols to identify implementation vulnerabilities. Fuzzers are not new, just new to SCADA protocols in 2006. Expect more on this. In fact utilities showing some fuzzing on OPC and ICCP are in papers to be presented at S4.
8. INL Training Courses
The National Lab developed half day and full day SCADA Security courses at variety of technical levels. These courses were taught free of charge at large industry events such as SANS and InfraGard. The courses are geared towards teaching the SCADA community about applicable IT Security practices. They were jam packed with students and well received.
Hopefully in 2007 INL will find a way to formalize this training program and offer these courses on a more frequent basis. Or how about a computer based training version of the course? INL could do this themselves or license the courseware to certified training organizations similar to what Sandia did for their RAM training.
INL, Sandia and PNL continued in 2006 to receive millions of dollars from the US Government. I’m often critical that way too much of the results and tools remain locked up in the labs. The training is a success story that just needs that final push to be a gigantic success story.
7. Project LOGIIC
LOGIIC (Linking the Oil and Gas Industry to Improve Cyber Security) took the innovative approach of Government (DHS) and Industry (Chevron, Citgo, Ergo)jointly funding and managing a SCADA security research project. The project added SCADA intelligence to a Security Event Monitoring (SEM) product using off the shelf security products and two SCADA systems.
6. Verano SCADA Security Conglomerate
Verano was the first company to develop a SCADA security product with their Industrial Defender. In 2006 Verano purchased a SCADA security consulting practice, PlantdData, and a Managed Security Services Provider (MSSP) with SCADA clients, e-DMZ. Now Verano has SCADA security products, consulting services and managed security services. It will be interesting to see how this works out because IT security conglomerates have not been successful
5. Byres, BCIT, Tofino, MTL
Eric Byres made BCIT one of the top, if not the top, academic institution in SCADA Security research. In 2006, Eric left and took his field security device, Tofino, to ByresSecurity. Shortly thereafter, Eric announced that MTL would manufacturer and distribute Tofino. The Achilles testing engine that was used on PLC’s and other SCADA systems landed at Wurldtech. And BCIT, well they are out of the SCADA Security research business. I’m sure many other academic institutions our working to fill this void.
4. Security Requirements Procurement Project
An INL, SANS, DHS, State of New York, etc. effort to develop procurement language that asset owners can use in their RFP’s for new control systems. Vendors will only built what potential customers ask for. (see our blog review of this document)
3. First SCADA Vulnerability Disclosure from US-CERT
SCADA vulnerabilities came out of the closet in 2006 as US-CERT and CERT/CC processed and issued vulnerabilities on SCADA vulnerabilities. To say this was not universally praised is an understatement, but we are big proponents of responsible disclosure led by a third party such as US-CERT and CERT/CC. This is covered in detail in our vulnerability disclosure blog category.
2. SANS Enters the SCADA Security Market
SANS, the largest IT security training resource, entered the SCADA security world with two SCADA Security Summits in 2006. While we have had a few instances to be critical of SANS SCADA comments and efforts, there is no denying their impact. Our 2007 resolution for SANS would be to develop and hold SCADA Security courses that would target training the IT Security community about SCADA and SCADA Security.
Easily the number one SCADA Security event of 2006. This is the first true standard with security requirements that can be audited along with some enforcement teeth through NERC today and FERC soon. In 2007 will we see other vertical industries leverage this effort?
Author: Dale Peterson
Posted: December 19th, 2006 under Big Picture.
Comments: 5
Comments
Comment from Thomas Maufer
Time: December 19, 2006, 1:49 pm
Related to #9, “SCADA fuzzing” is really too narrowly defined here. The problem in SCADA networks is not limited to SCADA protocols. Many embedded IP stacks are written from scratch (or hacked to fit) and have bugs in what you might think are the least likely places…like ARP or IPv4 itself.
Moreover, protocols like DNP-over-IP (DNP3) may need to be transported over TCP with SSL or TLS over IPv6 someday. The “Adaptive Analysis(tm)” approach taken by Mu Security is much more than simple-minded “fuzzing” and leverages an object-oriented database of vulnerability patterns spanning the entire protocol stack and all the dependent protocols supporting an application.
Mu Security’s Mutation Analysis represents the state of the art in code coverage and automated security analysis for over 40 protocols, in the context of a platform that also supports Published Vulnerability Analysis and External Analysis (the ability to automate your existing CLI-based tools).
At the end of the day, Mu’s remediation tools help your vendors quickly fix the faults that you find, and the platform’s regression capabilities let you verify that fixes actually fix the fault(s) that you found. No other solution takes this process-oriented approach to security testing where the focus is as much on enabling and validating fixes as it is on finding faults.
Comment from David
Time: December 19, 2006, 5:46 pm
Since this is moderated….
here goes…
““SCADA fuzzing” is really too narrowly defined here.”
– What do mean by ‘here?’ I didn’t see anyone try to define it. — I suppose you need some segway to your commercial
“The problem in SCADA networks is not limited to SCADA protocols. Many embedded IP stacks are written from scratch (or hacked to fit) ”
—Is there another way? And written from scratch doesn’t =bad or =not tested
What do you mean by “many” do you have numbers?
and have bugs in what you might think are the least likely places…like ARP or IPv4 itself.
—So you know of bugs in ARP or IPv4?…or are they just the least likely places?
The “Adaptive Analysis(tm)”
— You TM’d “Adaptive Analysis”???? lol
approach taken by Mu Security is much more than simple-minded “fuzzing”
— fuzzing is as simple minded as the indvidual doing it, generaly those people are very smart.
and leverages an object-oriented database of vulnerability patterns
— Why not TM the term “signature database” too
— and object-oriented? FYI a OODB, is not just a buz word, it has a set pretty exclusive classifiers, one of which is its own data base query language (not SQL)…you have that?
spanning the entire protocol stack and all the dependent protocols supporting an application.
—- Ah I feel much better now…at first your commercial was insulting and anoying…but in the end it worked out just fine.
Comment from Dale Peterson
Time: December 19, 2006, 9:41 pm
Comments are only moderated for spam. Once you submit an on topic comment you get on the approved commenter list and your comments are no longer moderated.
Of course, if we find someone spamming, offensive or consistently commercial they would get banned.
Disagreeing strongly with the blogger is always welcome.
Comment from David
Time: December 20, 2006, 10:38 am
Ah… thanks for your comments.
I said, “Since this is moderated….
here goes…”
figuring if I said anything out of line, the Mod (you) would just delete it.
I was a little excited, maybe too much. I read the blog expecting to learn something and felt assaulted by what I read.
For what its worth I’m calm now.
So, thank you for all your interesting posts and I look forward to reading more in the new year.
Comment from Marty Edwards
Time: December 20, 2006, 3:18 pm
Dale,
Thank you for mentioning the courseware that the Idaho National Laboratory has been developing and teaching at various events around the country. It is always nice to receive confirmation that our materials are relevant and making a difference.
I would like to note that credit for developing the courseware should be given jointly to the US Department of Homeland Security, and the US Department of Energy, as without their “millions of dollars” as you put it, these courses would not have been possible.
Thanks for your blog, it is widely recognized as one of the ‘heartbeats’ of the SCADA Security community.
Regards,
Marty Edwards
Industry Liaison Lead
Critical Infrastructure Protection and Resilience Division
Idaho National Laboratory
Write a comment