Comment from Jake Brodsky
Time: April 20, 2007, 9:57 am

Regarding Eric Murphy’s blog: I agree with all his points. HOWEVER: the situation would be much nicer if the Matrkon, Kepware, et al, would actually discuss the Windows Security model and how to secure an OPC server in that arena.

I have yet to see anyone actually write up a useful guide on this. The out of the box recommendations are to open all orifices wide for the OPC driver. There is no discussion on what resources the OPC driver actually needs to work. There is no discussion on what risks need to be exposed.

Frankly, I don’t know if the companies themselves are to blame or whether the OPC foundation just fell down on the job. In the end, it still means we’ve got one very poorly secured driver. And they wonder why people say rude thing about OPC…

Comment from Dale Peterson
Time: April 20, 2007, 10:03 am

Jake - Part 3 of the OPC Security White Paper does this. We had a lot of people review this including people active in the OPC Foundation, Microsoft, Vendors and other experts.

It will be out the first Tuesday in June.

Comment from Ron Southworth
Time: April 20, 2007, 3:37 pm

I am looking forward to reading the third article in the series with great interest. The need for the sort of information on securing OPC is certainly been a long time in the planning and hopefully it will address the foundations peceieved lack of action in this regard.

Thanks for the hat tip Dale but it was not really necessary as there are a great number of people involved with TISN.

Hopefully in the long term there will be more direct means for communication of what activities and sharing are occurring as the SCADA CoI Portal comes into operation and evolves.

With respect, TISN is so much more that the PCSF in aspects other than just cyber security and at this stage of it’s continuing evolution. It is high praise to compare it to the PCSF on Cyber security efforts.

As a one line description is not too bad.

TISN has a vision for securing CI as an “All Buisness Risks Approach” and as such the SCADA Security community is only a very small part of a much larger picture of activities that it is involved with.

Where we are fortunate is that equavelant to DHS and about 4 other USA federal agencies has come together in joint involvement & custodianship with the scope of activities they have defined.

On the AU federal government side it is actually two separate departments sharing the responsability and working in harmony (IMHO) to bring together the community to improve the security of our critical infrastructure in this country. A pretty neat effort in itself to see federal government departments working so well together.

The briefing sessions and praticioner sessions should raise some awareness within the larger community. It is a very genuine effort to increase the involvement of everyone in the industry. The scope has widened from the first workshops in 2005 to a much larger audience seeking resources and manufacturing to vendors and suppliers. Hopefully it will be a landmark series of events.

Comment from Jake Brodsky
Time: April 20, 2007, 11:09 pm

Dale, regarding the lack of crypto experience on DNP3, I would appreciate it if you would outline what you think the Technical Committee is doing wrong and quietly convey this information to the Committee Chair, Andrew West.

I’ve been participating with the DNP3 Technical Committee for about a year. Grant Gilchrist worked very hard at getting a first draft of the authentication features released. I was there in Auckland when we reviewed, criticized and finally accepted a substantially modified proposal. That draft is now under review by at least two parties writing actual test code for it. One of the test code packages is open source.

The problems I have seen are not so much those of cryptography, but understanding what vulnerabilities the protocol has and what the signatures defend against. If you have something to contribute to this effort, I have very little doubt that your input would be most welcome.

Comment from Dale Peterson
Time: April 21, 2007, 11:17 am

Jake, I’m planning on digging into the new secure DNP3 for some SCADApedia entries and hope to have a podcast with Grant or someone else on the site in the next month.

Designing secure algorithms and protocols, and even integrating existing algorithms and protocols, is very hard. The field is littered with failures. So a credible effort should have multiple people that do this as a very large part of their job. Crypto and secure protocol experts, not control system protocol experts - - although those are necessary as well and are well represented in the working groups.

For a while we were active in OPC UA security, but we pulled back because we did not feel there was not enough crypto and secure protocol expertise in the working group. I used to do this stuff back in the 80’s and early 90’s while at NSA and then in private industry. It is very disturbing when I’m not finding people who know a lot more about this than I currently do developing and vetting protocols.

At S4, Rob Lambert of Certicom, who has a PhD and patents on elliptic curve protocols, presented a paper on algorithm and protocol implementation that quite frankly went over just about everyone’s head, but that is the kind of resource we need looking at these protocols. Of course the problem is getting these people involved. There is little incentive to do it pro bono. I had hoped that some of the research dollars going to academia and the labs would have addressed this, but I have not seen this yet.

I’m less concerned about Secure DNP3 than OPC UA because the effort is leveraging existing security protocols to a greater extent. Stay tuned for more.

Comment from Matt Franz
Time: April 21, 2007, 5:34 pm

Wow it only took Cisco and Rockwell 4 years to get this press release out the door. It will be interesting to see the content.

Comment from Ralph Langner
Time: April 23, 2007, 4:45 am

Matt, sometimes you are outright funny I am curious to see this document, too…