First a little clean-up from yesterday on the demos in the afternoon.

• The demonstrations showing DNP3 has no authentication to prevent an attacker issuing commands and the fuzzing of protocols caused denial of service is in fact almost identical to what Ganesh presented at Defcon - - only in a lot more detail. Both of these demos have been done at SCADA security events for years. So if the press had been accurate the real story was a gleeful SCADA “hacking” presentation was made at Defcon, a venue that attracts hackers of all hat colors.
• There was a bit of a stir that the controller vendor and model was displayed on the screen for a period of time in the Mu demo with a stated “500 ICMP vulnerabilities and TCP vulnerabilities” and some demonstrations of serious DoS attacks. So this was vulnerability disclosure to the 70 or so people in the room prior to notifying the vendor or US-CERT. It was not intentional, but it happened. Given the grief Digital Bond gets for responsibly disclosing vulnerabilities just to US-CERT, this is a pretty big oops in the eyes of the control system community.

Today the morning is the conclusion of Joe Weiss’s event and the afternoon is a NIST workshop on control system security.

10:30AM - Perry Pederson led off the day with a presentation on the DHS NCSD programs. A few new items:

• DHS has developed a control system security training program in a box. The box contains the presentation and other materials for the class. It will be piloted in October and if successful released through PCSF after that. So if you are knowledgeable on control system security you should be able to take this box and teach a course at your company or industry group.
• DHS has developed a curriculum for a university course on control system security at the Graduate level. It is for non-technical, management types and is available from the PCSF site.

Perry introduced Simon Hennin of Raytheon who has a TSWG contract for the Cyber Attack Alert Tool (CAAT). This is another effort to collect and share threat information. Phase 1 is to “define standard data schema and protocol for communicating attack data”. This is similar to what we tried and failed to do in a PCSF working group. Only Lurhq (a MSSP) submitted data for a few months on about 5 control systems. There was a related S4 paper from Sandia/I3P on anonymous, authenticated information sharing. Simon is looking for participation if you are interested. Tough problem with the “what’s in it for me and is it worth the risk sharing my information”.

Mike Peters from FERC presented later in the morning. He opened by saying he was not going to talk about the NOPR on NERC CIP, but he did strongly encourage everyone to read and comment on the NOPR. This was echoed by Scott Mix of NERC.

I’m not going to go into details on Mike’s interesting talk to avoid writing anything that would prevent him from speaking at other events. What he did was take real world events and extrapolated on how cyber methods could have caused a similar incident.

Mike did discuss the risk equation and made the case for setting threat to 1 like they do in the RAM assessments. Essentially remove threat from the equation and focus on vulnerability x consequences. In my opinion this is a classic government viewpoint, and maybe appropriate for government. History proves this approach does not cut it with C-level executives. They require threat info to justify spending.

6:00PM - I attended the first half of the NIST Workshop on Applying NIST SP800-53. There were some strong example presentations from TVA and Entergy. Then the groups broke up to answer the questions:

• Do you think that convergence of standards is important. Why?
• Are the NIST RMF and the ICS augmentation of SP800-53, Revision 1 a good basis for convergence?

The effort to answer these questions will continue tomorrow. Our group started by trying to determine what NIST meant by convergence. My opinion is if convergence means everyone agreeing to use SP800-53, this will never happen and isn’t worth the effort to try. Many in SP99 envision their standard being used cross industry. NERC isn’t going to move to SP800-53, and I have a hard time imagining other vertical sectors not issuing their own standards. You could even argue the question if convergence is helpful.

This does not mean that other standards bodies don’t look at SP800-53. SP99 WG4 is using it as a reference and may develop a mapping. In fact, the DHS Catalog of Security Requirements is a useful reference document, and if convergence meant that each standard body issued an Appendix mapping their standard’s requirements to the SP800-53 requirements this is probably achievable.

It will be very interesting to see what if and what consensus the group at the workshop achieves.