The court battle between Battelle/INL and Corey Thuen at Southfork Security is over. The settlement agreement gives Battelle all rights to Thuen’s Visdom product. While the case hinged on whether Visdom was a copy of Sophia and the Thuen employment agreement, the courts reaction to “you called yourself a hacker so you will break the law argument” and the lame national security impact contention were what made it worth watching. Now clear of entanglements with INL, Theun could start over and build a similar product, but neither Sophia or Visdom were hardly novel or even competitive with more full featured solutions.
Microsoft introduced a new version of their free threat modeling tool. We used their old tool in consulting projects, and look forward to trying out and writing about the new version. One immediate plus is it no longer requires Visio. Microsoft has included a drawing tool in the package.
Bloomberg reported “Electric, natural gas and major water companies and regional distribution systems in Connecticut have been penetrated by hackers and other cyber attackers, but defenses have prevented interruption”. We will be seeing this in slide decks.
And we probably need to put a note in about Heartbleed. There have been a few ICS-CERT advisories on the issue. Asset owners should look at SSL remote access to the ICS and SSL to security perimeter devices for management. Pre-Heartbleed, remote access to ICS should have been physically disconnected except for when emergency support is required.
Rotem Bar of Limpox Advanced Solutions closed out S4x14 with a look at how integrators can introduce vulnerabilities into an ICS. This point was actually brought out as well by Sistrunk and Crain with the DNP3 vulns. In that case the TMW master station was not vulnerable to the Project Robus attack methods, but some vendors who had implemented the TMW stack in their master station fell over when fuzzed.
Rotem looks at an example API, from GE Cimplicity, and finds a lack of validation, control and unnecessary features. He then proposes an architecture to resolve many of these issues.
We normally don’t bother commenting on ICS-CERT alerts or advisories, but since we broke that rule already … the latest advisory update on an Allen Bradley denial of service vuln is another reminder that vulns and patching matter little in this insecure by design world. Why worry about a vuln that can cause a denial of service when an adversary can send a legitimate EtherNet/IP Stop CPU command?
Siemens and McAfee announced they “are extending their partnership to enhance the security offerings for industrial customers to protect against rapidly evolving global cyber threats.” Hard to tell if this is marketing fodder or more. The ICS vendors are choosing partners to work with for application white listing, security monitoring and other solutions. Symantec and McAfee being the major players along with the newest Lockheed/Industrial Defender combo.
Innominate’s mGuard was one of the first industrial field firewalls. At Hannover Messe this week they announced support for OPC. The “OPC Inspector masters the complex connection tracking of OPC dialogues across their changing ports and connection directions, thus enabling an effective control and filtering of OPC based on the stateful inspection firewall principle”. They sell a virtual machine software version in addition to the physical, industrial rated module.
Are Risk Based Approaches Bound to Fail in Securing Critical Infrastructure ICS?
The idea for the topic was a Bound to Fail paper by Ralph Langner and Perry Pederson for the Brookings Institution. We had Jim Gilsinn of Kenexis and Marc Blackmeer of Cisco arguing that risk based approaches are helpful and necessary. Zach Tudor of SRI and Mike Ahmadi of Codenomicon making the case that risk based approaches are bound to fail.
After the four of them argue the issue for 25 minutes it is thrown out to the audience for the remaining 25 minutes. You will see the S4 attendees are not shy about giving their opinion and mixing it up.
Have a great research idea for “Automatic Detection and Patching of Embedded Systems”? Take a look at the DHS pre-solicitation notice announcement for funding under the Small Business Innovation Research (SBIR) program. There is a heavy Internet of Things slant to the item. FYI, this SBIR was what initially funded our SCADA IDS signatures and preprocessors that are now integrated into most commercial IDS.
Critical Intelligence released there annual ICS Security Trends and Analysis Report, for purchase. The analysis of the quality and quantity of the new ICS vulnerabilities is the sizzle, but the most useful information is on new attack and defense techniques, threats and information that will help your detection efforts.
The National Institute of Building Sciences announced two workshops, for a fee. “The Introduction to Cybersecuring Building Control Systems Workshop and theAdvanced Cybersecuring Building Control Systems Workshop are both built around” the new Cybersecurity Framework. BYOBACnet script.
Jim Gilsinn and Bryan Singer of Kenexis Consulting Corporation had a quick 12-slide/15-minute session on analyzing ICS protocols. Good information on the what and why of pub/sub in these protocols, as well as some protocol plots showing some of the challenges of analyzing these protocols.
UPDATE – The video is added. I wrongly assumed this was the lost 15-minute session. Sorry Sean.
Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis.
If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.
I have some hope that the vendors will learn and get better. I have little hope that ICS-CERT will improve because they have yet to admit they are lacking. The ICS industry doesn’t help by praising the fact that they are putting out so many more Alerts and Advisories than in years past. They could let US-CERT or CERT/CC handle at least 95% of these and truly use their ICS expertise to dive deep in the 5% that matter.
Some of the big names, AT&T, Cisco, GE, IBM and Intel, have created the Industrial Internet Consortium. GE has been pushing the term Industrial Internet and may be the hub of the five founding partners, who by the way hold a majority of permanent seats in the IIC. Others are encouraged to join and come along, but it’s the founding partners’ game. Expect Siemens and a couple of GE’s other big competitors to do something similar if they have not already. BTW, there is a Security Working Committee in the IIC.
Joe Weiss, who I like to call the Paul Revere of the ICS world, cancelled WeissCon 2014 due to his consulting workload. Joe’s event was the first ICSsec event and drew a good crowd of asset owners. I had heard good things about the last two WeissCon, a bit of revival, so I’m sure this will disappoint many. Joe says it will be back in 2015.
We submitted our BACnet-discover-enumerate.nse for inclusion in Nmap so you wouldn’t need to download and install our script separately. Some minor code changes were required and are in process to meet the Nmap style and format. We will let you know when it happens.
Thomas Brandstetter was the face of Siemens CERT, most famously at BlackHat during the Beresford vulns. About a year ago he left Siemens and founded Limes Security in Austria. You can add Limes Security to the list of ICSsec training options. They have European-based courses for Managers, Engineers and more technical security courses for those who want to assess DCS and SCADA systems.
The US Government Accountability Office (GAO) issued a report entitled: Observations on Key Factors in DHS’s Implementation of Its Partnership Approach. The first bullet in the summary is humorous and sad. GAO points out that they identified information sharing as key in 2003 and problems with DHS information sharing in 2010. And they continue to beat that information sharing drum again. I can’t take US Government information sharing seriously until they say out loud and repeatedly critical infrastructure ICS applications, devices and protocols are insecure by design and need to be upgraded or replaced now. Most of what ICS-CERT/DHS shares is noise to show they are doing something.
Security consulting firms take not that Trustwave was included in a lawsuit related to the Target breach. “Trustwave scanned Target’s computer systems on Sept. 20, 2013, and told Target that there were no vulnerabilities in Target’s computer systems. Trustwave also provided round-the-clock monitoring services to Target, which monitoring was intended to detect intrusions into Target’s systems and compromises of PII or other sensitive data. In fact, however, the data breach continued for nearly three weeks on Trustwave’s watch.”
Dragos Security founders Matt Luallen and Robert Lee announced their first product: CyberLens. CyberLens enables the passive discovery and identification of cyber assets on a network. I asked and Robert answered in a twitter discussion what makes CyberLens different than Tenable’s PVS and other solutions. The challenge products like Sophia and CyberLens have is: are the ICS intelligence advantages enough to warrant selecting a less complete, proven, likely to survive solution?
On a related note, the kerfuffle between Corey Thuen (Southfork Security) and INL on Sophia must have eased a bit as Corey is the guest presenter at the ICSJWG Webinar I Think, Therefore I Fuzz on March 27th. I couldn’t find a registration link on the ICSJWG site.
Continuing on disclosure, Jake Brodsky over on SCADASEC tells a story of finding a “wide open” FTP server at “a small controls firm that does ICS application software programming”. “It had correspondence regarding various ongoing projects with utility plant upgrades. It had application programs. It had drawings. It had spreadsheets of I/O maps and descriptions.” So they called DHS, who called the firm, and now there is a password on the FTP server. I’m sure loyal readers know that this is not enough. My question … has the firm notified their customers that sensitive data was Internet exposed for years? If not are Jake, DHS and the firm practicing “responsible” or even “coordinated” disclosure. Don’t answer that; it was to prove a point. Those words have always been subjective and ring hollow to me. And this is more evidence that disclosure is not worth the discussion because whoever finds the vuln will do what they choose to do.
The Japanese government recently held a cyber exercise. According to the JapanToday, “Some 50 cyber-defense specialists gathered at an emergency response center in Tokyo, with at least three times that many offsite, to defend against a simulated attack across 21 state ministries and agencies and 10 industry association.”
Monzy Merza of Splunk had a S4x14 defensive session. Working with an actual, deployed Building Management System (BMS), Monzy wrote python scripts to export the data from the BMS to Splunk for analysis. He focused solely on what could be detected from info logged by the BMS.
The BMS was known vulnerable in the general sense that BACnet is an insecure protocol and specific sense in that Rios/McCorkle had found vulnerabilities in the Tridium Niagara AX.
Once the data was in Splunk, Monzy showed examples of how anomalies that could be cyber attacks could be detected in the data. The examples are specific to a BMS and should provide hints to anyone looking for attack detection in an ICS.