Havex / Stuxnet / ICS-CERT / DHS

Havex RatI believe the last time ICS-CERT announced malware that specifically attacked a control system product or protocol was back on July 20, 2010. At that time I naively railed that DHS / INL / ICS-CERT should be thoroughly investigating this and determining the impact to control systems. After they essentially and intentionally dropped the ball, I was encouraging the guy in the ICSsec community that knew the most about Siemens’ products and protocols to dig into it. Ralph Langner and his team, along with some great work from Symantec, did the analysis that led to the world learning about Stuxnet.

Now we have the announcement from F-Secure on the Havex RAT. There are two reasons to believe this is attack is targeted at ICS. First, it is doing something with the OPC protocol. OPC is often used to transfer process data between systems from different vendors. Almost every ICS made in the last decade has an OPC interface; it is the ICS universal translator.

What it is doing to OPC servers is still unclear. If this is an early phase of an attack it could simply be running OpcEnum to gather information about what OPC servers are on the network. Most do not deploy the available security controls in OPC because it is difficult (even after reading a three part white paper from Byres / Digital Bond), and it breaks necessary comms if not done right. Also, the lack of good coding practices leaves many OPC servers with vulnerabilities, some disclosed and many just waiting to be found or used.

The other reason to believe it is targeting ICS comes from F-Secure:

Of more interest is the third channel, which could be considered a form of “watering-hole attack”, as the attackers chose to compromise an intermediary target – the ICS vendor site – in order to gain access to the actual targets.

It appears the attackers abuse vulnerabilities in the software used to run the websites to break in and replace legitimate software installers available for download to customers.

Our research uncovered three software vendor sites that were compromised in this manner. The software installers available on the sites were trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.

Based on the content of their websites, all three companies are involved in development of applications and appliances for use in industrial applications. These organizations are based in Germany, Switzerland and Belgium. Two of them are suppliers of remote management software for ICS systems and the third develops high-precision industrial cameras and related software.

Let’s watch the post-discovery DHS / INL / ICS-CERT analysis of the Havex RAT. I’ll keep my tinfoil hat in the closet for now.

F-Secure’s discovery of this ICS malware leads to a question … shouldn’t DHS / INL / ICS-CERT be scouring malware data and samples to identify ICS malware?

I have to give Michael Toecker credit for being prescient on this. While at Digital Bond he had a Mining Malware research project and wrote a bit about it. Time and other limitations left it to primarily conceptual conclusions, but the idea had merit and likely would have identified this as ICS malware if the F-Secure or VirusTotal sample was scanned.

Developing a process and tools to identify potential ICS malware in large samples seems like an ideal project for DHS / INL / ICS-CERT. Then give it, don’t try to sell it a la Sophia, to those with large samples with some agreement to share the results. The ICS world would get some great threat data from the often touted, but rarely of value, public/private partnership. Big win.

Image by turiskopio

South Beach Hotel for S4x15

surfcomberI came a day early to South Florida this week to check out the newest official S4x15 hotel: the Surfcomber Hotel in South Beach.

Those still wanting large rooms and suites, luxury, quieter beach and close to the best malls and the Kovens Center can stay at the Trump International. This got high marks from attendees the last two years. To meet the request for a South Beach hotel we are making the Surfcomber Hotel the second official S4x15 hotel … and we got a great rate for attendees.

The Surfcomber is right in the middle of the South Beach action. It’s close to Lincoln Road, all the great art deco hotels and neon signs, restaurants of all types and price ranges, great people watching and bars and clubs.

Of course this location and activity means smaller rooms in an older (1948) hotel and noisier atmosphere. Kimpton bought and did a major update and refurbishment a couple of years ago, but it is a smaller art deco hotel in a party area of South Beach. So attendees will have a good choice between the Trump and Surfcomber.

The main reason I wanted to see the place was to go over ideas for the social event we will hold there on Thursday night out at the pool. The pool is somewhat famous for parties, and Daley Direction has some unique and fun ideas for the S4 / ICSage convergence event.


  • Critical Intelligence

Friday News & Notes

ICS Security NewsBloomberg published more detail on the “UglyGorilla” attack on pipeline SCADA. It’s worth reading past some of the hyperbole in the article to learn what information was taken. “Operatives vacuumed up caches of e-mails, engineering PDFs and other documents, but it was their focus on supervisory control and data acquisition, or SCADA, systems in industrial computers that most concerned U.S. officials.” We have heard more detail on what was taken, and some of it would be very helpful in crafting an attack.

EnergySec/The Anfield Group has published the Agenda for their 10th Anniversary Summit, August 18-21 in Austin, Texas. Days 1 and 2 are training and workshops. Day 3 is a day primarily devoted to sponsor presentations. This is a bold move given the general revulsion to vendor presentations that have even a whiff of commercialism, but give them credit for being clear that they are sponsor presentations. Day 4 looks like the best day with a solid agenda.

The PHDays blog has more detail about the Critical Infrastructure Attack contest at PHDays 4. “Organizers added new SCADA systems (such as Siemens TIA Portal 13 Pro and Schneider Electric ClearSCADA 2014) and various OPC servers (Kepware KepServerEX, Honeywell Matrikon OPC). New HMI devices, the operator panel Siemens KTP 600, PLC (Siemens Simatic S7-300 and S7-1500)and remote control devices (ICP DAS PET-7067) were presented as well. Schneider Electric MiCOM C264 was provided by CROC.” Impressive.

The Kuwait Industrial Automation and Industrial Control System (KIACS) Cyber Security event graciously put videos of the sessions on YouTube. The production quality is first class. After watching a few sessions it appears to be an excellent event for those new to the field of ICS security.

Joe Weiss participated in the filming of a television show on ICS security. He took the camera crew out to a couple of transmission substation sites and found they were left alone while parked in an unmarked van and filming the substation. Expect this to generate some articles when the show is on air.

Image by ChrisinPlymouth

FireEye / Mandiant Try The ICS Market

Mandiant ICS IRThe ICS security community is still tiny, so when a large vendor recruits five or so names in the industry it gets some attention. They are placing at least a small bet that there is enough business to scale to a size worth pursuing. Security vendors have tried this before, most notably Symantec, only to quietly walk away or deemphasize the effort in ICS security.

About the same time that FireEye was purchasing Mandiant, Mandiant was building their ICS security team. Dan Scali from GE and Chris Sistrunk from Entergy (and DNP3 hacking fame) were two of the hires near the start of 2014. They have since added Anthony Persi from INL/DHS, Kyle Wilhoit from Trend Micro (and ICS honeypot fame), and Rob Caldwell from GE.

What is Mandiant going to do with this new ICSsec talent? Dan Scali responded to my tweet with:

Without reading too much into a tweet, let’s evaluate the possibility of selling IOC’s as a service. There is a market for ICS IOC just like there is a market for ICS IDS signatures, ICS malware and ICS threat intelligence. It just has not proven to be large enough for a vendor the size of the Mandiant to find interesting. Add to this the insecure by design ICS protocol and PLC issue, non-patching, poor configuration, and minimal ICS attack data, and it is hard to imagine an IOC feed that would be of value to many asset owners. Many ICS asset owners are very large companies, so perhaps the addition of ICS IOC in concept is appealing. Still I would rate selling ICS IOC’s as a loser for Mandiant.

Incident Response is where the Mandiant play begins to make sense. We have had clients that have used Mandiant’s IR for suspected corporate network compromises, but told Mandiant to stop at the ICS security perimeter. Mandiant could not, or chose not to try to, convince the client that they had the ICS expertise to move the IR into the ICS. The addition of the ICS talent to the Mandiant team could solve this problem.

The additional revenue provided by extending the IR into the ICS is one benefit, but likely not the win Mandiant wants. In a competitive situation, Mandiant now can promote this ICS IR capability to the very large companies that also have ICS that are the drivers of running critical infrastructure, generating product, … the items the company is in business to do.

ICS IR is a challenge. When features can be used to compromise the ICS, it is harder to identify IOCs. It is not impossible, but new techniques are required.

I’m looking forward to seeing some Mandiant presentations on this in the future.

Image by Norfolk Fire Service

S4xJapan Logo and Update


S4xJapan: October 14-15 in Toyko

I had a bit of fun in Tokyo last month creating a logo for S4xJapan. In Japan people use a hanko, an ink stamp, to sign documents ranging from Fedex or Black Cat delivery acknowledgment to important official documents. A hanko is designed around a person or company’s name, and each hanko is a bit different even if the name is the same.

The S4 logo we have used since 2007 always reminded me of a hanko. So I had a designer and hanko maker modify it a bit to add xJapan and make an image look like a hanko stamp. We actually made a hanko as well to stamp documents at S4xJapan.

The S4xJapan call for presentations is open until July 18th. The early response is encouraging and newsworthy, but we are still looking for great sessions in Japanese or English for OTDay and the main S4xJapan day. Send your proposed presentations topics and abstracts to s4@digitalbond.com.

S4xJapan Venue

The event will be held in the auditorium of Academy Hills on the 49th floor of the Mori Building in Roppongi Hills. The location is ideal for Japanese, it is close to Roppongi station, and for foreign visitors, close to many hotels, restaurants, nightlife and places to see.



The auditorium lends itself to a technical event like S4xJapan. Every seat has power; quality Internet is free of charge; and when you are on break there is a nice view of Tokyo.

The auditorium is also set up for recording the event, and our plans are to record both OTDay and main event for future distribution in the hope of providing some of the best Japanese language ICS security content available to date.

There is much more to tell after the agenda is published and registration opens. We have a fun and unusual social event planned for Tuesday night, innovative and anonymous Q&A plans, and are working on some unique giveaways that will be appreciated by Japanese and foreign attendees.

The best way to guarantee your spot and get in free of charge is to submit a killer presentation abstract and speak at S4xJapan.

Friday News & Notes

Letter FThe German government’s National Cyber Defense Center has little to show over the last three years, according to the German Government. The Langner Group covers the story of a classified report that was leaked to the press. A small number of employees who lacked experience and did little …

Walt Boyes reports on ISA selecting AE Solutions “to market and deliver the International Society of Automation’s (ISA) series of safety, cybersecurity, and alarm management courses.” This follows, and likely is related to, John Cusimano’s recent move from Exida to AE Solutions. There are many ICSsec training options out now, and this should help ISA training be more competitive. Unfortunately for ISA, they likely missed the window when they could have dominated, or at least been the leader, in this space.

Honeywell has added an IPSEC encryption option between PC components in Experion.

Patrick Coyle reports on the seemingly stealth Chemical Sector Security Summit. This previously popular and sold out event seems to be fading away due to lack of interest by DHS.

On a positive note, Patrick reports the 122-page Actions to Improve Chemical Facility Safety and Security – A Shared Commitment ”is a pretty good effort at identifying the actions that the government (at all levels) and industry need to take to improve chemical safety and security.” It includes a section on implementing the Cybersecurity Framework, more evidence that the CSF is taking root in every sector.

ICSJWG Needs A Refresh

icsjwg-generic-bannerI attended my first ICSJWG since 2011 last week in Indianapolis. It was an ok event with some interesting talks and a chance to reconnect with familiar faces in the ICS industry. It is however a far cry from the must attend DHS event back when it was called PCSF. I rate a few other similar events, such as WeissCon and the SANS Summits, as much better. The main thing ICSJWG has going for it in its current form is the price — it’s free.

This is disappointing because there is a place for a premier US government event in ICSsec. Below are recommendations for the next ICSJWG.

1. Have the best, can’t miss government sessions

a) ICSJWG should be the event where DHS and other USG organizations make the most important, can’t miss ICSsec announcements of the year. I don’t believe there was any news at ICSJWG … and little or no press.

b) Throw in a big government name speaker each day. The Indy ICSJWG had Governor Mike Pence, DHS Assistant Director Touhill and NCCIC’s Larry Zelvin. This hit the mark and should be continued. These presentations often lack new information, but the audience likes to see the names.

c) It also should be the event where the government explains in detail the most important programs. The Indy ICSJWG had a big miss on the NIST Cybersecurity Framework, arguably the most important USG ICS initiative. A NIST representative read a dry speech to the audience that included little new or helpful information. The DHS speaker on the subject was a no show so she read his speech as well. An attendee could reasonably draw the incorrect conclusion that now that the document is out the effort is over.

ICS vendors, asset owners, consultants and other ICS security professionals should feel ICSJWG is where important USG information will be revealed and explained in detail. This is the most important and easiest improvement for DHS to make. (And just to be clear, this does not mean more presentations explaining the bureaucratic organization structures in the USG)

2. Hold a professional event

This is a hard criticism, because I know some of the organizers worked hard on ICSJWG Indy. If that truly is the best that can be done due to USG limitations then don’t hold ICSJWG.

  • Publish the agenda earlier, two months before the event
  • Have some basic refreshments at the breaks. There is no coffee or drinks or snacks or even tap water at the breaks. This may seem petty, and a fancy lunch or party is not necessary, but it’s common courtesy and a bit embarrassing that there are not basic refreshments.
  • Find a quality venue. The main auditorium had a very poor projector, strangely inconsistent air con, and no power for laptops. The break out rooms had problems as well. I know they like to move ICSJWG around, but perhaps they should stick with a quality government venue in DC. The possibility of holding the next ICSJWG in Idaho Falls would be another big mistake. (The Indy area was great and well received; walk to everything)

3. Only one ICSJWG event each year

Based on the agenda, there is not enough content to hold two events a year, and they would be better served placing all the effort on one quality event each year. It also would draw a bigger crowd and more buzz.

4. Something special

There should be something new each year. The classified briefing may have qualified this year. I don’t have a clearance so I’m not sure if it provided helpful and new information, but it is something that other events could not offer.

I’m rooting for ICSJWG. With all the advantages they have, and admittedly some bureaucratic challenges, it should be a great event and an important way to move forward the public / private partnership that is often touted as being so important. If it is no longer a priority and can’t be significantly improved it should end.


Cloud Computing

I had finished my presentation on a wide variety of topics Big Data / Cloud Computing / Internet of Things / ICS remote access, and the Q&A had started. After stressing in the presentation that ICS data can be shared anywhere without jeopardizing the integrity and availability of the ICS, but non-emergency remote access to critical infrastructure ICS must not be allowed, I got the question that illustrates the challenge in making progress in ICS security.

Paraphrasing the question … “What you recommend is impossible, especially for the next generation of workers that expect to be able to make changes to the plant from their basement on their iPhone. Given that prohibiting remote access is impossible, what is your recommendation to secure it?”

IT’S A TRAP!!! and one that I refuse to play along with. The depressing thing was looking out at the audience I could tell that a large portion, a majority?, agreed with the questioner. An audience of vendors, asset owners, consultants, government officials et al that are looked at to define ICS security thought that it is inevitable and acceptable that critical infrastructure will be controlled from phones, tablets and laptops anywhere, anytime as a regular occurrence.

This is one of the reasons I have significantly reduced the number of ICS security events I attend and speak at. If the ICS security community was going to force change and solve this problem it would have happened by now. Change is going to come from outside the ICS security community or not occur until a very sad and tragic event or two happen. And this is not something I’m willing to wait for.

There were a number of supportive attendees who came up after the presentation. And please don’t misunderstand, I welcome disagreement on a presentation or solution (see Darren Highfill’s S4x14 Unsolicited Response), but not surrender. It is also important to note that there are a number of critical infrastructure asset owners that are doing, and are committed to continuing, what the questioner said was impossible.

This is one of many areas that the US Government and DHS could take leadership if they choose to. The DHS response to the insecure by design problem was not to focus on this as an issue that must be fixed. Instead DHS took the position that insecure by design would not be considered a vulnerability worthy of an ICS alert or advisory. It would have been surprising, but refreshing, to have someone from DHS push back hard on the inevitability of anytime/anywhere critical infrastructure remote control comment and say this should not be an option in critical infrastructure.

Attendees and others interested can see my Prezi online at this link. Admittedly, the picture based Prezi is a bit harder to understand unless you were there or the entire script is included.

Given this was a DHS event, I thought it only appropriate to focus on ICS that monitor and control the critical infrastructure. So after quickly dismissing the Internet of Things, with an interesting WEIS statistic, the bulk of the presentation used the GE On Site Monitoring / Atlanta Data Highway as an example.

Monitoring 1800 power generation systems in 60 countries is a great example of the promise and benefits of Big Data / Cloud Computing. It also is a big, fat, high value target. Does this mean that critical infrastructure ICS should avoid these types of services? Absolutely not. Just push the data to them so the integrity and availability of the ICS is not at risk.

Does Software as a Service (SaaS), e.g. an HMI in the cloud, have a place in ICS? While SaaS has no place in a critical infrastructure ICS, you can make an argument that an HMI in the cloud might be lower risk for a small municipal water utility than a completed neglected ICS with a weak security perimeter.

Tomorrow I’ll write about the rest of the ICSJWG event.

Reid’s Back! Digital Bond Labs

ReidI’m very pleased to announce Reid Wightman is returning to Digital Bond after a couple of years at IOActive.

Reid will be leading a new division, Digital Bond Labs. He will write soon on what Labs is and what it will do, but let me talk about the reason we formed Labs.

The most popular service in our Consulting division is asset owner assessments. Here we look at the ICS in terms of good security practices and known vulnerabilities, and we provide prioritized recommendations based on efficient risk reduction. We will do some fuzzing, random data and smart, on interesting ICS ports and protocols, but in general we are not hunting for new vulnerabilities for most clients. I don’t believe that asset owners should pay for finding new vulns in vendor products, and getting the vendor to fix latent vulnerabilities would rarely rate high on the prioritized list for most asset owners.

Increasingly we are being asked by vendors to test and assess their products as part of their security development lifecycle prior to release. This is a very different skill set of firmware and hardware analysis as well as developing semi-custom tools for each assessment. Quite frankly, Reid was the best we have ever had at doing this type of work. So it is great to have him back to do this work.

But we wanted more than just to add back his talents. We wanted to develop a team of talent in this area to collaborate and learn from each other. Even in this narrow field that are areas of expertise, background and skills. We also wanted this team to be able to focus on this type of security work, rather than find the low hanging fruit in ICS installations (weak security perimeters, no endpoint security, default credentials, …).

So we were able to entice Reid to come back to form Digital Bond Labs … and he is hiring.


Friday News & Notes

SCADA Security NewsDark Reading reports this week on Bitsight Technologies security ratings for the utility industry. Bitsight scored the sector as second highest in security posture, with the financial industry rated first. This scoring is primarily based on the corporate network, not ICS. However this does confirm that many utilities have capable IT security staffs that could help Operations if everyone played well together.

Based on Congressional Testimony, ICS-CERT is ramping up their free consulting practice. “ICS-CERT, in coordination with DOE and the Federal Energy Regulatory Commission (FERC), has also started an initiative dubbed “SAFEGUARD” to assess the cybersecurity of major energy sector asset owners (e.g., electric and gas utilities, petroleum companies) to proactively understand the state of security. Customized services include cybersecurity assessments, network architecture reviews, network scanning to look for static indicators and indicators of adversary persistence and anomalies, and control systems network traffic visualization.” Hopefully the recipients of this taxpayer funded consulting will be required to report on the remediation of identified risks and ICS-CERT will be able to publish detailed but anonymized information.

The team at Shodan have put up an ICS Radar page showing where in the world Internet connected ICS applications or devices have been found and some global statistics by protocol. John Matherly will also be presenting at ICSJWG next Wednesday.

The on-again-off-again 2014 edition of WeissCon is now firmly on, Oct 20-23 in Atlanta. This will be the first year the event is owned and run by Security Week, although Joe will still be heavily involved.

Ralph Langner and Perry Pederson will be presenting their RIPE Framework in DC on June 24th. Contact The Langner Group to register.

Navigant Research published some information indicating Demand Response might not be growing as expected. A court ruling on a FERC order and data from the PJM Interconnection are cited.