Aqualillies at S4x15


The South Beach Pool Party will be at the Surfcomber Hotel on Thursday after the S4 Technical Sessions. We are pleased to announce the entertainment for the party … The Aqualillies!

This synchronized swimming group will perform a few numbers in the great Surfcomber pool and then mingle and take pictures. They have performed at TED, Disney World, award shows and other great events.

The pool at the Surfcomber is the perfect venue for the party and this entertainment with balconies, the pool deck, and of course the ocean view at sunset.

I like the Aqualillies mission statement:

Our goal is to inspire people with beauty, grace, and spectacle, bringing to life the magic of the universe through synchronized swimming and dance. By following our dreams we hope to encourage others do the same: to free their imagination, seek out adventure, believe in themselves and their power to make the world a better place. We are reinventing water ballet for the new millennium!

Screen Shot 2014-12-09 at 11.23.01 AM

We have some other fun surprises for this very unusual ICSsec event.

After the party you will be right in the heart of South Beach so you can grab dinner, more drinks, go to a club or just people watch. We will have a bus going back to the Trump at 11PM for those wanting to stay down in South Beach post party.

Registration Update

The registration count is at 126. This means there are 24 seats left at the tier 3 price and only 64 seats left in total. You need to book now if you want to get your spot at S4x15 Week.

Hotel Update

The room block at the Trump International is SOLD OUT. There are still rooms left at the conference rate at the Surfcomber Hotel in South Beach (where the party on Thursday will be held). This room block is available until December 20th so book your room now.

S4x15 Advanced Training Classes

S4x15 attendees have some choices for the Friday activity. There is the ICSage: ICS Cyber Weapons conference and now two one-day advanced training classes. We pick classes that will teach students with the right experience a new, leading edge skill in one day. These classes are typically being taught for the first time. The two classes this year are:

CANBus Hacking

Instructors: Corey Thuen and Reid Wightman of Digital Bond

Corey has been digging into CANBus as part of his research project he will present in the S4 Technical Sessions. He learned a lot and wants to pass that along to the students.

There is no way to do this course without the right hardware. So there is a $100 hardware supplement so every student will have a BeagleBone with CANBus Cape they can use in the course and take home with them.

Why Should the Red Team Have All the Fun?

Instructors: Jim Gilsinn and Bryan Singer of Kenexis

Jim and the Kenexis team have developed a new ICS lab environment that they can bring on the road. So there will be some instruction focusing on defensive techniques and then the class will have a Red/Blue competition.

Each lab pod will have three students on each team and some of the lessons learned will be on the techniques and reasons why the various teams won and lost.


The 100+ that have already registered for S4x15 should have received an email on how they can switch from ICSage to the class or add the class if they want.

Seats for each class are limited and look closely at the required knowledge. You will be left behind if you don’t have the required knowledge.

  • Critical Intelligence

Send In The Drones, S4x15


This year we have a fun addition to the S4 Cocktail Party held on the Kovens Center deck overlooking the Intracoastal Waterway … drones. We are bringing in CineDrones to let attendees fly a drone through an obstacle course. They claim the drones are virtually indestructible, and I’m sure some first time pilots will put this to the test. We will have prizes for the best times on the course.

CineDrones will also pilot a drone overhead with a camera and display the events on screens inside and outside. Kovens does a great job with the food at this event, and it’s always fun to relax on the deck at sunset after a long day of hardcore ICSsec technical talks. cigar-roller2The Welcome Party on Tuesday is sponsored by PFP Cybersecurity and Waterfall. It is a Cuban themed party down on the beach at the Trump International. We have cigar rollers, domino tables, Cuban food and drink and music, and some other fun surprises. This was a big hit even in unseasonably cold weather last year, so we decided to run it back for another year. The South Beach Pool Party is the big finish of the S4x15 social events on Thursday. We have some fun surprises for this that we will disclose next week. Stay tuned.

Kim Zetter Interview & Book Signing at S4x15


We have added Kim Zetter, author of Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon, to the S4x15 Week Agenda. We will have Kim onstage for a live interview as part of ICSage on Friday. I’ll have a few questions, but we will open much of the interview for audience questions and comments.

Kim will be doing a book signing at lunch on Friday and all attendees will be given a copy of her book.

Some of the other sessions added to the agenda in recent weeks include:

  • Kyle Wilhoit on The State of SCADA Malware. Kyle was involved in identifying and investigating the recent malware that has been searching for ICS applications. You also need to hear about his incubation concept and environment.
  • Dr. Chee-Wooi Ten will give a brief introduction into research on Simulating Multiple Substation Failures.
  • Mark Heard and Jonathan Pollet have been added to OTDay to show how to Use the NIST Cybersecurity Framework in Your ICS Program.

We are now in the third tier of pricing, seats 101-150, and you will want to reserve your hotel room while the conference rate is available.

Friday News & Notes

4593960058_0ec18a0978_mSean McBride’s Finding SCADA Honeypots on Shodan article is a twist on the Internet connected ICS story. He finds 58 Conpots and 67 honeypots listed as Water Control Valve #27. Two points in this article. One, some basic analysis is required to weed out honeypots. And two, you need to add more reality and interaction to your SCADA Honeypot if you want it to be believable.

Wonderware released a new version of their SmartGlance mobile app. We regularly beat up these ICS mobile apps for promoting remote control from any untrusted phone anywhere in the world. It was refreshing to read the Wonderware press release that focused on making plant information available anywhere, not control.

The Nuclear Energy Institute (NEI) is petitioning the US Nuclear Regulatory Commission (NRC) for a rule change “to ensure the regulation is not overly burdensome for NRC licensees, and adequately protects the public health and safety and common defense and security”. It reduce the types and number of devices, applications and subsystems that are subject to cybersecurity regulation. Joe Weiss stirred things up with his “The Arrogance of the US Nuclear Power Industry” article.

Admiral Rogers, Director of the NSA, testified in Congress yesterday. He stated that China and one or two other countries have the capability to attack ICS and affect the US electric grid and other critical infrastructure. This quote was thought provoking, “We need to define what would be offensive, what would be an act of war,” he said. “Being totally on the defensive is a very losing strategy to me.” I need to hear that in context.

The second price tier of S4x15 tickets (51-100) will sell out before Thanksgiving. Get yours now, save $100 and reserve your spot.

Image by Carbon Arc

ICS Village at S4x15

Stephen Hilt and a team of volunteers are working furiously on the ICS Village for S4x15. The ICS Village at S4x14 had a large amount of ICS devices, 6 different vendor PLC’s, HMI, industrial switches, historians, …, and we allowed attendees to play and attack them at will. Of course, every year near needs to get better.

One thing we learned from our past ICS Villages and the recent Defcon ICS Village is that a lot of people are at a loss of what to do in the Village. So the ICS Village at S4x15 will have a capture the flag (CTF) competition with a ICS flags in five different categories.

The CTF will be scored and prizes will be awarded to the top individuals or teams.

We will be releasing information on the ICS Village every two weeks that will help attendees gather their tools and plan their attacks. To begin, the diagram below shows a simplified network diagram of the ICS Village. Some specific product names will be added in future updates.


The flags and scoring will be on a Jeopardy style board with the following categories. Each category will have different levels of difficulty with corresponding point values.

  • Reconnaissance. Example easy flag: identify a historian on the network. Example medium flag: pull tag names from a PLC.
  • Exploitation. Example medium flag: use Modicon password recovery to recover a super secret password. Example hard flag: downgrade software on a PLC.
  • Process. Example medium flag: modify an HMI display.
  • Forensics. Example easy flag: review firewall logs for signs of ICS specific malware. Example hard flag: Identify hacker identity via evidence left in firmware.
  • Protection. Example easy flag: write ICS signature for an earlier discovered flag.

If you would like to participate in the preparation or running of the ICS Village, or just have an idea for a flag, contact Stephen Hilt.

CRISP: Market Failure and Fools Gold

CRISPCRISP (Cyber Security Risk Information Sharing Program) is a US Department of Energy (DoE) program with two related efforts underway to meet the goals.

There can be cases where the Market, in this case energy companies, are not sufficient to support a product or service. The Market may be interested in trying out the new offering, but not at the price required to sustain the business. The government or other entity can step in and subsidize some or part of the product or service. The subsidy should be short term, perhaps 1 to 3 years. If the market does not perceive the value or the cost does not come down, the offering is not sustainable.

The DoE Office of Electricity Delivery and Energy Reliability (OE) is funding Norse Corporation to provide a threat information feed based on their Internet sensors to CRISP participants. It will be integrated in some way with FireEye hardware. The subsidy is $1.9M over two years.

DoE writes “This unique package and specialized low pricing represent a highly compelling enhancement to CRISP cyber security and the protection of energy related critical infrastructure.” The concept is the energy sector will see the value of this data and pay full price for it after two years.

This isn’t strictly a market failure issue because the offering exists and energy companies can buy it without DoE help. However it’s a small expenditure for the US Government, and it does not get them into the threat intelligence business. It’s low risk and allows participants and DoE to see if this information has value.


The more troubling aspect is the NERC/ES-ISAC/PNNL effort that forms the main part of CRISP. This could be a 3000-word post on its own, but here is the shorter, bulleted list of the major problems:

  • Pacific Northwest National Laboratory (PNNL) is performing the analysis of the collected data at $7.5M for one year. Why is PNNL competing with industry? A proven, competitive and growing industry that is more talented and experienced than PNNL in this area. The $7.5M is for sensors at 28 companies, $267K per company for an Internet sensor plus about another $33K per company paid to NERC.
  • There is an indisputable conflict of interest with NERC, the ERO/regulator, pushing an overpriced “security service” to the companies it regulates and can fine for not meeting the CIP regulations. They can talk about chinese walls and other separation, but this exacerbates the existing conflict of interest with the NERC as the regulator and ES-ISAC.
  • Moving forward NERC is considering staffing up the ES-ISAC to take over the PNNL role. So NERC is going to build a threat intelligence analysis company; it goes from bad to worse.
  • Finally, these sensors are not collecting data from an ICS. “The CRISP ISD is a network device which uses commercial off the shelf hardware. It’s placed at the transmitting site’s (e.g. utility) network border, just outside the corporate firewall.” The case that PNNL or some other organizations energy expertise is critical might be persuasive if this was an ICS security perimeter or interior being monitored, but the lack of relative experience and data feeds by NERC/PNNL will put this offering at a major quality disadvantage to commercial competitors. This is not even considering the pricing disparity.

NERC envisioned complaints about competition with commercial offerings and provided the following:

CRISP has two differentiators from other commercially available cyber risk monitoring services. The first is the intent and ability to integrate other cyber related threat information provided through governmental sources with the cyber threat information gathered from the ISDs installed at the participant’s sites. Second is the ability of the program to look across organizations within the electricity subsector, identifying correlation and trends.

Fools Gold

CRISP, like Cyberstorm, LOGIIC and many others, will undoubtedly be called a success. You can write the press release before the event or project is finished. The criteria for success is the various organizations come together to participate in the project for event.

You can visualize the press release and presentations already. A list of 28 utility companies, DoE, raw monitored traffic numbers, events, bulletins written and a couple of quotes from senior executives. The Norse Corporation portion of CRISP will be easy to evaluate. Do energy sector companies purchase this service from Norse or their competitors when the subsidy ends?

The criteria for success of the NERC/PNNL effort is more difficult. A larger program is as likely to be due to marketing pressure than any value of the information. It’s the C-level / Director question … are we part of this CRISP security thing? If it is too late to stop, NERC should be working on and announcing in early 2015 plans to spin CRISP, and I would argue ES-ISAC, off to a commercial entity. Then the market would determine if CRISP is a success.

Image by arbyreed

ABC This Week / Bravo Richard Clarke

thisweekThis past Sunday’s edition of This Week With George Stephanopoulos had a 7-minute segment on critical infrastructure cyber security prompted by the BlackEnergy malware. The lead in by ABC’s Pierre Thomas was particularly bad and conflated attacks on company’s that run the critical infrastructure with attacks on the critical infrastructure. They even went back to the 2007 DHS Aurora footage while making it appear as if this is a recent data point.

An important and easy to understand point still seems to escape the mainstream media reporting. Brand new, top of the line ICS, not just ten-year old legacy systems, being deployed in the critical infrastructure are insecure by design. If an attacker gets through the perimeter, he will have complete control of most ICS. My hope is the “less security than your ATM/bank cash card” will eventually catch on.

One very positive aspect of this segment was Richard Clarke’s comments. He was hitting a lot of points I made at by S4x14 ICSage talk, to a much broader audience in very clear language. Some of the gems:

  • “half dozen countries that have already placed logic bombs” and he specifically included the US on this list
  • “you want to have the ability to push a button when the war starts” when talking about pre-staging ICS cyber weapons
  • “tried this with their potential enemies” again indicating this is already happening

Mr. Clarke also commented that most of these ICS cyber weapons will never be used if they are deployed by nations. However, the risk of a less responsible group with less to lose deploying and using these weapons is his concern. While brief, his comments were literally the best I have seen in the popular media in the last decade.

Congressman James Langevin was also on the program, and he echoed a lot of what Richard Clarke said. However when he came to discuss solutions, his big answer was for Congress to pass an information sharing law. If DHS and the US Government can’t say out loud the most basic and important information, that these insecure by design systems in the critical infrastructure need to be upgraded or replaced in the near term (I say 3 years), what practical use is an information sharing law?

Friday News & Notes

fThe CLUSIF (Club de la sécurité de l’information français) has issued “an overview of existing documents, standards, guidelines and best practices” (link is for the document in English). The 24-page document gives an overview of the most popular and useful documents, and some advice on determining which documents might be most helpful to the reader based on a variety of criteria.

Robert Lee and Thomas Rid’s paper OMG CYBER! Thirteen Reasons Why Hype Makes for Bad Policy is available for free download. I’d like to see a follow up paper OMG CYBER! Thirteen Thing Your Vendor and Government Are Not Telling You About Cyber Risk in Your ICS.

Waterfall Security, best known for their Unidirectional Security Gateways, has announced Application Data Control. While technical details are still limited, it appears to add deep packet inspection to their product line.

Perry Pederson of Langner Communications has written a 28-page RIPE Crosswalk document that compares and maps RIPE to NERC CIP, NEI, WIB, NIST CSF, …

We are well into the second tier pricing of S4x15 Week tickets (51-100). The price goes up $100 each tier so register early to save money. We were happy to add to Tim Yardley as a speaker this week as well as some additional OTDay sessions.

Friday News & Notes

We added a bunch of info to the S4x15 site including the newly designed banner, see below. We are almost through the first 50 tier ticket pricing (42 sold).


“DHS ICS-CERT” and FBI announced, a bit clumsily, that they will be touring 13 cities across the US and providing “a series of SECRET briefings …for cleared asset owners/operators. …  These briefings will provide additional context and information about the BlackEnergy campaign as well as the Havex malware that both targeted industrial control systems.” Sounds like a worthwhile program if they have unique information. I always wonder why these briefings happen after, rather than before, the information is released publicly by researchers and vendors. This is related to an ICS-CERT Alert issued this week.

Some good news on the INL front, they recently added Andy Bochman to the team. I’ve always admired Andy’s writing on Smart Grid security and other ICSsec matters when at IBM and in his own startup. Good luck Andy.

Fireeye released a whitepaper on a Russian organization they are calling APT28. It does not appear to have any critical infrastructure ICS aspects, although some of the government systems being attacked or having intelligence gathered could be ICS.

The team at Netrecsec wrote a nice blog summarizing the three vendors who were distributing Havex infected software.