Last Chance for the EnergySec and Digital Bond Training

1760642062_06f0ba2096_n[1]Friendly reminder that there are a few seats still available for the CIPv5 Foundations course partnered with Digital Bond’s Cyber Security for Generation (click link for more details).

This two day course starts with the NERC CIPv5 Foundations course offered by EnergySec, and concludes with a deep dive by yours truly into applying technical NERC CIP and security principles and practices to the generation environment.

Those interested may register on the EnergySec website here. Cost for the paired training is $1,295.00 total, a savings of $100 is recognized when signing up for both courses.  Seats are limited to the first 25 participants, and EnergySec partners are offered their customary training discount.

Ready For Attack, Sir!

Cyber Security at the Ministry of DefenceThe most frequent question I get from reporters is “why haven’t we seen more security incidents in ICS”? It is now common knowledge that ICS are vulnerable, and eventually we will get the message out that they are, in fact, insecure by design. Why aren’t we seeing parts of the critical infrastructure, factories, building automation systems and more go down?

  • There are more security incidents than you hear about, accidental, non-directed (such as mass market malware) and directed attacks. The ICS world does not talk publicly about security incidents any more than other sectors.
  • There are potentially large consequences to taking out critical infrastructure. People could die; major environmental damage; large economic damage; and a big bullseye on whomever is responsible. An attacker will get a lot of attention attacking critical infrastructure even if he does not try to cause an outage or damage. Hunted down, jail, drone strike … and for what gain?
  • Lack of a profit motive or business model to ICS cyber crime. Security incidents jump in volume when criminals learn how to make money from the incident. Most of the ICS cyber incidents reported by ICS-CERT and others actually are attacks on the corporate network that runs an ICS. Manufacturing recipes, oil exploration data and other business data can be monetized.
  • The nation states who have exploited their adversaries critical infrastructure ICS have not received the order to attack.

I’ve been thinking about that last bullet for a while now. It lead to the paper Offensive Cyber Weapons, an ICSage session on Preparation and Persistence of ICS Cyber Weapons, and our PLCpwn research project. Every week there are more quotes and information that indicate the US and other nation states are deploying ICS cyber weapons in adversary critical infrastructure to have a capability to use the ICS cyber weapon when requested.

Here are two recent items that stood out:

Der Spiegel interview with General Michael Hayden:

As part of our military thought, we now think of cyber as a domain. Let me define air dominance for you: Air dominance is the ability of the United States to use the air domain at times and places of its own choosing while denying its use to its adversaries at times and places when it is in our legitimate national interest to do so. It’s just a natural thing for him to transfer that to the cyber domain.

If  a military wants the capability to use the “cyber domain” to take out part of an adversary’s critical infrastructure “at the time and place of its choosing”, it is necessary to have the ICS exploit in place and the ability to communicate with the exploit. (My Preparation and Persistence items).

The other item comes from the NYT article on the NSA Shotgiant program to compromise Huawei equipment:

N.S.A. analysts made clear that they were looking for more than just “signals intelligence” about the company and its connections to Chinese leaders; they wanted to learn how to pierce its systems so that when adversaries and allies bought Huawei equipment, the United States would be plugged into those networks. (The Times withheld technical details of the operation at the request of the Obama administration, which cited national security concerns.)

Planning and deployment of the exploit is very helpful if a nation state or other organizaton wants a reliable capability to effectively launch a cyber attack. Another pertinent example is NSA’s introduction of vulnerable crypto into RSA. The virtual stack of articles I’m collecting on offensive cyber efforts is large and only the proverbial tip of the iceberg that is visible.

The increasing offensive effort combined with the vulnerable and insecure by design ICS leads to the conclusion that exploits are already deployed on critical infrastructure ICS around the world awaiting an order to attack. Since effective ICS offensive efforts are increasing at a much faster rate than effective ICS defensive efforts the number of critical infrastructure ICS awaiting an order is likely to increase over the next 1 to 3 years. Perhaps there will be some ICS that have deployed exploits from multiple countries awaiting an order.

And don’t assume the weapon does not exist and is not deployed just because you don’t see a critical infrastructure ICS suffer a cyber attack. Most weapons are never used against a potential adversary.

——–

Loyal readers may have noticed that we haven’t written about whether what NSA and other organizations around the world are doing is right or wrong. It is an important discussion, but our focus on this site is security, not ethics. We will increasingly cover what is happening in ICS cyber weapons and how this affects offensive and defensive ICS security programs.

I may be biased as an ex-NSA guy from decades ago, but I think a lot of the anger aimed at NSA is misdirected. An organization like NSA is tasked with missions and given rules, or lines they must not cross, to achieve those missions. There are a lot of talented and dedicated people who believe in the mission at NSA, and they will do whatever they can within the rules to achieve it.

The mission has expanded and the rules have gotten very loose since 9/11 (it’s very different than the 80′s where people would be in jail now). Some of this is necessary because the Internet wasn’t an issue in the 80′s, but what the administration is asking from NSA and what Congress allows NSA to do are perhaps better areas to focus attention on.

Image by U.K. Ministry of Defence

  • Siemens Industrial Security

Friday News & Notes

Friday SCADA Security News and NotesHave a great research idea for “Automatic Detection and Patching of Embedded Systems”? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant to the item. FYI, this SBIR was what initially funded our SCADA IDS signatures and preprocessors that are now integrated into most commercial IDS.

SANS announced they will be teaching their new week-long ICS 410 ICS/SCADA Security Essentials class in Tokyo, Nov 10-14. The course will be taught in English and simultaneously translated into Japanese.

Critical Intelligence released there annual ICS Security Trends and Analysis Report, for purchase. The analysis of the quality and quantity of the new ICS vulnerabilities is the sizzle, but the most useful information is on new attack and defense techniques, threats and information that will help your detection efforts.

The National Institute of Building Sciences announced two workshops, for a fee. “The Introduction to Cybersecuring Building Control Systems Workshop and theAdvanced Cybersecuring Building Control Systems Workshop are both built around” the new Cybersecurity Framework. BYOBACnet script.

Image by TooFarNorth

XP EoL: Little Impact to ICS Security

XP in SCADAAll the fuss and tension over the security impact of Windows XP reaching its end of life next week is wildly overblown for the ICS community.

Yes there still are a lot of asset owners running Windows XP in their ICS environment. And yes, many of these asset owners are in critical infrastructure sectors. There is also a very high direct correlation between asset owners running critical infrastructure on XP and asset owners who are not applying security patches.

It doesn’t matter if security patches exist or not if you are not going to apply them even as infrequently as annually. The fact that Microsoft is not issuing patches doesn’t change their security posture one bit. In fact, some secretly are happy about this because they now have an excuse why they can’t patch.

Owner/operators need to come to grips with the fact they are running mission critical IT with ICS applications. Mission critical IT requires care and feeding and periodic upgrades. The days of install and don’t touch for decades has been gone for almost two decades now when the decision was made to move to Windows, Oracle, Ethernet, etc.

The security leaders in the ICS community, both asset owners and vendors have plans, and have implemented these plans, to address XP and other software obsolescence issues. They are well past the approach of install and don’t touch that leads to lurking fragility.

And it’s not as if the XP end of life snuck up on us.

———-

Let’s talk a bit about Microsoft. It is entirely reasonable for Microsoft to end support for XP. It is a business decision by Microsoft. Owner/operators cannot on one hand point to cost and the bottom line on why they can’t improve security and then ask a vendor to sacrifice their profit.

It was ten years or so ago when Microsoft held the first Manufacturing User Group summit in Redmond. At the time the outcry from the audience was we want a manufacturing specific OS for HMI, EWS, and ICS servers, stripped down with only what was needed in ICS. Microsoft considered this, decided it was bad business, and passed on this new ICS OS. They have gone different directions with Server Core and other embedded solutions.

Over those ten years vendors have continued to develop applications that run on Windows workstation and server OS. Asset owners have bought these ICS applications. All with the full knowledge that Microsoft moves to new OS and eventually drops support for old OS. This is not a new development and should have been planned for a decade ago.

Microsoft provided ample warning of this end of life. Asset owners had years to plan to upgrade there current application to Windows 7, or move to a new application if the vendor is out of business or refuses to offer a version on a supported OS. The asset owner can choose not to, but this is not Microsoft’s problem. Yes it will cost the asset owner time and money, with time usually being the bigger issue, but again they should have a policy that they run supported software and they have many years of warning this was coming.

S4x14 Session: You Name It; We Analyze It

Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.

S4x14 Session: At Least Pretend You Care

UPDATE – The video is added.  I wrongly assumed this was the lost 15-minute session. Sorry Sean.

Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.

If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.

I have some hope that the vendors will learn and get better. I have little hope that ICS-CERT will improve because they have yet to admit they are lacking. The ICS industry doesn’t help by praising the fact that they are putting out so many more Alerts and Advisories than in years past. They could let US-CERT or CERT/CC handle at least 95% of these and truly use their ICS expertise to dive deep in the 5% that matter.

Friday News & Notes

SCADA Security FridaySome of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC. Others are encouraged to join and come along, but it’s the founding partners’ game. Expect Siemens and a couple of GE’s other big competitors to do something similar if they have not already. BTW, there is a Security Working Committee in the IIC.

Joe Weiss, who I like to call the Paul Revere of the ICS world, cancelled WeissCon 2014 due to his consulting workload. Joe’s event was the first ICSsec event and drew a good crowd of asset owners. I had heard good things about the last two WeissCon, a bit of revival, so I’m sure this will disappoint many. Joe says it will be back in 2015.

We submitted our BACnet-discover-enumerate.nse for inclusion in Nmap so you wouldn’t need to download and install our script separately. Some minor code changes were required and are in process to meet the Nmap style and format. We will let you know when it happens.

Thomas Brandstetter was the face of Siemens CERT, most famously at BlackHat during the Beresford vulns. About a year ago he left Siemens and founded Limes Security in Austria. You can add Limes Security to the list of ICSsec training options. They have European-based courses for Managers, Engineers and more technical security courses for those who want to assess DCS and SCADA systems.

Even more ICSsec training … Cimation has opened CimationUniversity.com to provide online training courses. There are four courses ranging in price from $300 – 1,500.

ICS security events in Latin America are still rare, so take note of the CFP for the 1st SCADA Security Conference LATAM in Rio de Janeiro, Nov 5-7. The web site is available in English and Portuguese.

The US Government Accountability Office (GAO) issued a report entitled: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach. The first bullet in the summary is humorous and sad. GAO points out that they identified information sharing as key in 2003 and problems with DHS information sharing in 2010. And they continue to beat that information sharing drum again. I can’t take US Government information sharing seriously until they say out loud and repeatedly critical infrastructure ICS applications, devices and protocols are insecure by design and need to be upgraded or replaced now. Most of what ICS-CERT/DHS shares is noise to show they are doing something.

Security consulting firms take not that Trustwave was included in a lawsuit related to the Target breach. “Trustwave scanned Target’s computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target’s computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.”

Image TooFarNorth

Redpoint: Discover & Enumerate BACnet Devices

Redpoint - BACnetDigital Bond has had an internal research project to develop tools that discover and enumerate ICS applications and devices. We call this project Redpoint, and we use the growing list of tools with care on ICS security assessments and other projects for our clients. They often begin as quick and dirty Python scripts, but the goal is to move as many as possible to Nmap scripts and make the most useful scripts generally available.

So let’s start with BACnet-discover-enumerate.nse, that you can download now from our GitHub Redpoint repository.

BACnet is widely used in building automation systems that monitor and control HVAC, lighting, fire detection, building security, … and of course it is insecure by design.

The discovery is more than just port scanning UDP/47808. The script sends a BACnet request to the port. Newer devices will respond with some helpful information; older devices send back a BACnet error message. Either way you know it is a BACnet device.

If the device is an IP BACnet Router you can often join the BACnet network as a foreign device. This slide from BACnet.org gives you some ideas on how helpful that would be in enumerating all of the devices, including serial connected devices, on a BACnet network. Those extensions and other more intrusive capabilities we keep in house.

If it is a device compliant with the BACnet specification post 2004, the script will pull some very helpful information as you see in the second and third examples in the screen shot.

  • Knowing the Object Identifier and having a BACnet client will usually allow you to issue commands to the BACnet device such as change setpoint, change schedule, or change program based on the capabilities of the BACnet device.
  • Vendor, Firmware and Software versions would be helpful in identifying default settings, device information and known vulnerabilities, although you really don’t need a vulnerability. We find it most helpful in telling the client what is where when an unknown building automation system is found accessible to everyone on the corporate network.
  • Where is the discovered device? The object name and location can give you a clue or very specific information if the asset owner or integrator used these fields. Again, take a look at the examples in the screen shot. This can be very helpful in an inventory effort or assessment.

Redpoint

We want to be clear on what this is script is not. It is not a discovery of a new protocol or protocol implementation vulnerability. It is using documented features of an insecure by design protocol. The “big hack” we did to create the script was read the specification.

We chose to start the publicly available version of Redpoint with BACnet because building automation systems are so widely deployed on corporate networks, and yes you will find many Internet accessible BACnet devices.

This BACnet script was a team effort with Michael Toecker digging into the protocol and generating some Python scripts and sample pcaps and Stephen Hilt wrote the parsing code and converted some of initial Python efforts into an Nmap script.

Stayed tuned for additional Redpoint releases, or even better add your ICS discovery and enumeration tool to Redpoint.

Image by Dru!

Is The Cyber Component of War Less Predictable?

ICS Cyber Weapons

Martin Libiki wrote “Why Cyber War Will Not and Should Not Have Its Grand Strategist” in the Spring 2014 edition of Strategic Studies Quarterly, and for a shorter take on this read Tim Steven’s summary and analysis of this article. The pull quote from Steven’s analysis is:

Libicki presents a nuanced argument for why cyber war/fare is significantly less revolutionary than it is often presented, a position also taken by several writers of this parish. I won’t rehearse those arguments here, except to say that Libicki is onto something fundamental here: success in the ‘fifth domain’ is often unpredictable, which makes it a very risky proposition, tactically, operationally and strategically. Says Libicki, ‘Everything appears contingent, in large part, because it is’. Hardly the basis for a grand theory of cyber war, he reasons.

There are two contentions in this paragraph that are worth some thought. The “fifth domain” is cyber, with air, land sea and space being the other four. Are cyber weapons and cyber offensive and defensive activities in a war less predictable than the other four domains? At this point the answer is yes, but this could be because we do not have the historical data or years of theory and analysis that the other domains have. Will it continue to be less predictable after experience and study?

I don’t have a position on this yet, but the question is interesting and important. I believe it is safe to say that decision makers on war activities are much less likely to rely on or use a weapon or strategy that is unpredictable.

Looking at the ICSsec world we live in, our experience indicates that we could create and use an ICS cyber weapon with very predictable results. There are counter examples of cyber weapons were the results are less predictable. However I imagine this would be true of weapons in the other four domains.

The other point in the quote worth considering is “cyber war/fare is significantly less revolutionary than it is often presented”. Thomas Rid indirectly takes this approach in his book Cyber War Will Not Take Place, but he is talking about a cyber war not cyber weapons or cyber warfare. With the level of  ”cyber” in the weapons in the other four domains, it would seem that it is revolutionary.

One last related point and question … should militaries be creating a Cyber Force or integrating Cyber into the existing Army, Navy and Air Force organizations or both?

More questions and ramblings than answers or firm opinions in this post, but these are important topics and ideas and more of the reason why we added the ICSage: ICS Cyber Weapons day to S4.

Image by boilingwaterfrog

Friday News & Notes

4922068101_f0c27d8894Dragos Security founders Matt Luallen and Robert Lee announced their first product: CyberLens.  CyberLens enables the passive discovery and identification of cyber assets on a network. I asked and Robert answered in a twitter discussion what makes CyberLens different than Tenable’s PVS and other solutions. The challenge products like Sophia and CyberLens have is: are the ICS intelligence advantages enough to warrant selecting a less complete, proven, likely to survive solution?

On a related note, the kerfuffle between Corey Thuen (Southfork Security) and INL on Sophia must have eased a bit as Corey is the guest presenter at the ICSJWG Webinar I Think, Therefore I Fuzz on March 27th. I couldn’t find a registration link on the ICSJWG site.

The Full Disclosure List was closed this week. A number of ICS vulnerabilities were first disclosed on this list, much to the dismay of many in the ICS community.

Continuing on disclosure, Jake Brodsky over on SCADASEC tells a story of finding a “wide open” FTP server at “a small controls firm that does ICS application software programming”. “It had correspondence regarding various ongoing projects with utility plant upgrades. It had application programs. It had drawings. It had spreadsheets of I/O maps and descriptions.” So they called DHS, who called the firm, and now there is a password on the FTP server. I’m sure loyal readers know that this is not enough. My question … has the firm notified their customers that sensitive data was Internet exposed for years? If not are Jake, DHS and the firm practicing “responsible” or even “coordinated” disclosure. Don’t answer that; it was to prove a point. Those words have always been subjective and ring hollow to me. And this is more evidence that disclosure is not worth the discussion because whoever finds the vuln will do what they choose to do.

The Japanese government recently held a cyber exercise. According to the JapanToday, “Some 50 cyber-defense specialists gathered at an emergency response center in Tokyo, with at least three times that many offsite, to defend against a simulated attack across 21 state ministries and agencies and 10 industry association.”

NERC issued the report on the GridEx II that occurred last December. Sit down off the record and over a beer with participants and you likely will get a different view of the events.