S4x15 Video: Simulating Multiple Substation Failures

This is a great session for power engineers and those involved in substations to watch. It is an extremely technical session by Dr. Chee-Wooi Ten of Michigan Technological University.

The key point is actually easy to understand. The most critical substations to secure may not be the highest voltage substations, and this session provides a set of mathematical equations to perform an impact analysis to identify the most critical substations.

Dr. Ten gets into the modeling and mathematics in significant detail in the video.

S4x15 Video: Power Fingerprinting

We generally do not allow product presentations at S4, but occasionally there is a technology that is novel or potentially important that we make an exception. For example, we had Kaspersky present on their ICS operating system at S4x15.

A second exception was made for Carlos Aguayo Gonzalez of PFP Cybersecurity to present the idea of using Power Fingerprinting to identify changes in PLC or RTU logic or firmware.

I won’t attempt to summarize the technical details; watch the video. It includes a demo of the technology.

However it is interesting that the Power Fingerprinting sensor is in fact not connected to the device it is monitoring. Hello air gap. It also is a potential tool for addressing the supply chain problem.

Unsolicited Response Podcast: Rios on WhiteScope and Medical Device Security

Billy Rios of Laconicly joined me on the Unsolicited Response Podcast to discuss two topics:

  1. WhiteScope – an online ICS/SCADA whitelist that is trying to solve the last mile supply chain problem until vendors start signing their code. The WhiteScope data repository is available to all, free of charge.
  2. Medical Device Security – an area that Billy is a pioneer on. We discuss progress, FDA involvement and how similar or different it is as compared to the classic SCADA/DCS/Process Control.

S4x16 Moves To South Beach

Save the date: S4x16 is January 12-16

S4x16 is moving to the Fillmore Miami Beach at Jackie Gleason Theater in the heart of South Beach. It’s literally 3 blocks from the beach, 1 block from Lincoln Road and right in the middle of all the SoBe restaurants, shops and night life.

This is a classic art deco venue where The Dick Clark Show, The Ed Sullivan Show and the Miss USA and Miss Universe Pageants were often filmed in the auditorium. In 1964, Jackie Gleason even moved his hugely popular tv show there, hence the name.

In 2007, the Jackie Gleason Theater underwent a major renovation and now has state of the art lighting, sound, video and just about any staging option we can think of — all without losing that cool art deco feel that is South Beach. In fact, the planning team is feeling the challenge of coming up with unique content, formats and staging worthy of this non-traditional ICSsec conference facility.

You often hear this security professional or that automation engineer is a “rock star”. At S4x16 we will see who the real rock stars are on a real stage that today is a major concert venue. Speakers will literally be in the spotlight on the big stage.


In addition to the main theater, the venue has so many interesting rooms for us to use. For example, the ICS Village will be held in the Red Star Lounge, a VIP lounge for concerts with coffee and cocktails and comfortable couches and tables to better get to know your fellow S4 attendees. Much like the staging, taking full advantage of all the rooms is a fun, creative challenge.

The Kimpton Surfcomber will again be an official S4x16 hotel, and it is only a 3 block walk to the Fillmore Miami Beach at Jackie Gleason Theater. Attendees raved about this hotel last year … except for the bus ride to Kovens. No buses for S4x16!


Note: We want to publicly thank the Kovens Conference Center that has been the home of S4 since the inaugural event back in 2007. They did a fantastic job for us each and every year. Unfortunately we outgrew the ballroom there and wanted to move somewhere that buses were not required. We highly recommend Kovens if you need a South Florida venue for an event.

iSight Partners Acquires Critical Intelligence

meBelden buys Tofino, GE buys Wurldtech, Lockheed Martin buys Industrial Defender and now iSight Partners acquires Critical Intelligence. The trend continues of larger organizations buying ICS security expertise.

Bob Huber and Sean McBride left Idaho National Labs (INL), after being involved in setting up what became ICS-CERT, to form Critical Intelligence. Critical Intelligence in many ways competed, or augmented if you want to play nice, the information ICS-CERT provided. However, the depth and breadth of the Critical Intelligence product far exceeded what ICS-CERT provided. Whether this was due to the talent disparity, fewer restrictions on what could be written, or both is not known.

I spoke with Bob and Steve Ward of iSight yesterday to understand the motivation for partnering and what future ICS services, products and events will look like. It is too early to answer the later question, but the motivation was clear.

iSight is looking to improve their threat intelligence in the ICS area, basic and easily understood reason. From a Critical Intelligence standpoint it’s more interesting. iSight has 200+ analysts that speak 16 different languages.

  • A lot of the important ICS threat info is written in Chinese, Russian and Arabic, not to mention the videos and podcasts that require the ability to understand the spoken language.
  • A fair amount of the technical analysis of malware and other attack code is not ICS specific. Look at the work that Kyle Wilhoit is doing over at Trend Micro on Havex and Black Energy for an example.
  • iSight has a methodology that will add rigor to the analysis and reporting process.

What iSight was missing was an understanding of what matters in an ICS, who are the players, important protocols and products, and the ability to task all those resources in a smart way that would lead to useful product. If the two companies can integrate the capabilities well the result should be more than the sum of the parts.

The biggest question then will be are the asset owners able to take in and act on this better threat intel?

Admittedly I’m a big fan of Critical Intelligence’s work. They helped with content on our site for a couple of years, were guests on the podcast, speakers at S4 and one of the people I talked to when I was trying to figure out who was doing what to whom.

Another thing this latest acquisition has in common with the other ICSsec acquisition is the price and terms were not disclosed.

Congratulations to Bob and Sean and the rest of the team at Critical Intelligence.

S4x15 Video – Creating Secure ICS Protocols

At S4x14 Adam Crain of Automatak, along with Chris Sistrunk, presented the results of their Project Robus that fuzzed DNP3 stacks and found most had problems with processing malformed or illegal responses. This year at S4x15 Adam talked about Avoiding Insecurity in ICS Protocols.

Adam compares Schweitzer’s Streaming Encryption Protocol (SEP) with DNP3 Secure Authentication Version 5 (SAv5).

Two of the main criteria he discusses and demonstrates with those two protocols are 1. have a clear trust boundary and 2. keep it simple. It is clear why there were so many bugs that led to vulnerabilities in the DNP3 protocol stacks.

This is a must watch for any group adding security to an ICS protocol or those that need to start this important and necessary ICS protocol feature.

S4x15 Video – Ginter on Embedding Malware in ICS Protocols

Andrew Ginter of Waterfall Security Solutions speaks on Embedding Malware in ICS Protocols. His conclusion is this is harder than one thinks. The easier solution might be to use the SQL server, web server, ftp server, or other commonly exploited protocols that ICS applications integrate.

Fair warning – the second half of the session gets a bit commercial on his/Waterfall’s view on why unidirectional security solves ICS security challenges.

ICSage Video: Eireann Leverett on Catastronomics

Eireann Leverett of the University of Cambridge Centre for Risk Studies looks at control system related catastrophe scenarios and the economic impact of these scenarios with an eye towards how insurance and reinsurance policies will be written and priced.

Admittedly critical infrastructure cyber security is a new topic in an insurance industry that has been around hundreds of years. Eireann points out that insuring against malicious attacks is not new to the insurance company. They insured against piracy on the seas.

The session provides some relevant macro economics in easy to understand language and graphs, and Eireann admits “we’re inventing rough metrics in a land of no metrics”.

His initial efforts are related to an important cyber incident that could impact the US, UK and European bulk electric system. The % loss of GDP due to an incident sounds like a good measure if it can be credibly calculated.

The Q&A in this session was particularly good, which is understandable since there are more questions than answers at this time. It’s a fertile field for those looking for an important economic problem.

For what it’s worth … this was my 18-month old daughter’s favorite session.

Unsolicited Response Podcast: SANS ICS 410 Course & GICSP

Episode 2015:2 SANS ICS Security Training and Certification

SANS provided four individuals for our Unsolicited Response podcast on the 5-day ICS 410: ICS/SCADA Security Essentials training course and the related Global Industrial Cyber Security Professional (GICSP) certification.

  • Scott Cassity, Managing Director of GIAC
  • Mike Assante, SANS Lead for ICS/SCADA security training
  • Justin Searle, SANS Instructor and major course content creator
  • Graham Speake, SANS Instructor and participant in GICSP creation

In the hour long discussion we cover:

  • Why SANS developed an ICS certification and training course
  • The difficulties and benefits of having a mix of IT Security and OT students in the class
  • How the course and certification were created and how they are structured
  • Early feedback on the course and certification along with likely changes and possible future courses (2-day course) and certifications
  • The number of students trained and the number of certified GICSP
  • Why SANS courses are so expensive relative to other courses
  • How should a potential employer view an individual who has the GICSP certification

I also gave the SANS team a chance to answer the criticism that this is an IT Security course from an IT security organization.

I appreciate SANS providing so much time and resources to the podcast. I think there is a fair argument on how the SANS course rates in comparison to the competition, and it might depend on the attendee profile and goal of taking the course. The one thing that SANS has going for it is they know how to scale up to train thousands of students, and this is needed in the ICS security space.

Related Links:

I’m committed to a minimum of 20 podcasts in 2015; this is episode 2. We will wait until five episodes are recorded before bringing on podcast sponsors, but let us know if you are interested in sponsoring Unsolicited Response.

Subscribe to the Unsolicited Response Podcast in iTunes.

S4x15 CTF ICS Village Page

The Capture The Flag (CTF) contest in the ICS Village at S4x15 was a big hit. We have had numerous requests from attendees and those that heard about it for more information and data. So Stephen has put together a page of information. The page includes:

  • Examples of flags in each of the five categories
  • Packet captures with ICS protocol and attack data (the most requested item)
  • Screenshots of detected data and the scoreboard
  • Pictures from the ICS Village
  • An explanation of the event

You may also want to watch an interview with the team that won the CTF.

Great job by Stephen and the team of volunteers who put the CTF together and kept it running under three days of attacks. It puts a lot of pressure on the team to make it bigger and better for S4x16.