Unsolicited Response Podcast: Cyber Insurance

oil-refinery

Who would have thought a podcast on insurance would be one of my favorite and most interesting I’ve done in the past few years.

I spoke with Eireann Leverett and Jennifer Copic of the University of Cambridge Centre for Risk Studies. They were two of the researchers who helped Lloyds put together the paper Business Blackout: The insurance implications of a cyber attack on the US power grid.

While the temptation will be great for loyal blog readers to focus on the scenario for the blackout, that is the least important part of the paper.

In the podcast we talk a lot about what types of insurance would likely cover an incident with the scenario’s impact. What factors would make a claim covered or not covered. All risks cover, silent cover, advanced or affirmative coverage and other important terms are defined and discussed.

We also delve into how this insurance will be written given the lack of data. This is not the first time Lloyds and others have dealt with this problem, so it is not insurmountable.

After listening to this episode multiple times I’m more convinced that cyber insurance for ICS / OT is coming. Owner/operators will want to transfer risk once a true risk management program is in place. The cybersecurity framework and other factors, such as C-levels and boards awakening to the risks they are unknowingly accepting, are beginning to drive informed risk management programs. Insurance and reinsurance companies are always looking for new and growing markets. This is important information for mid and top level management at owner/operators.

S4x16 CFP Ends Aug 31 / Also Looking for 1-Day Courses

s4 final on blackThe best way to get the most of any conference is to be a speaker. At S4 you get a chance to present your great research or passionate viewpoint to an audience of advanced ICSsec pro’s who will get it. They might not agree, but they will get it.

So check out the CFP and send us your best ideas for the Technical Deep Dives on Stage 2 or the less technical, but more entertaining Main Stage. It’s not an academic, refereed process, so just send us your idea and we can talk about whether it would make a great S4 session.

We are also looking for a couple more 1-day classes for the Friday after the conference ends. Let us know if you have a course or a course suggestion.

Friday News and Notes

friday-binaryBlackHat and DefCon are over, and vendors are breathing sighs of relief (or, digging trenches).  Let’s look at this week’s top news, according to us.

In the database world, we have two stories (a fail and a win):

– Oracle’s CSO floated a vaguely threatening blog post concerning external researchers searching for bugs in Oracle software.  For most software, this is a violation of the End User License Agreement (EULA), although well-respected vendors ignore this violation when it comes to security researchers reporting security issues in their software.  This is noteworthy because Oracle has made inroads into certain control systems verticals as the database of choice.  Oracle quickly removed the post (which may still be read here) and issued a statement that the CSOs attitude concerning 3rd-party testing is not in line with Oracle itself. This is hard to swallow.  The opinion of a corporate executive certainly has an effect on how a company acts, otherwise the worker is truly not a ‘Chief’.

– As a foil to Oracle’s failure, OSISoft has released an alert with bug fixes to their PI Historian.  Some 56 security issues were identified and fixed in OSISoft software.  OSISoft currently leads the ICS space in self-reporting security issues and publicizing its internal security efforts.

A handful of vehicle hacking stories follow the Vegas cons:

[Read more…]

S4x16 Call For Presentations

s4 final on black

We have opened the S4x16 Call For Presentations on the event website. Since 2007 S4 has been the place to show your ICS Security research to an advanced audience that will get it. In recent years we have added Operations Technology (OT) and ICS Cyber Weapons sessions to the event. But again these sessions are aimed at an audience that knows the basics and doesn’t want to hear SCADASEC 101.

The new venue in South Beach will allow us to produce sessions on two big stages, so we will be hunting harder than ever for quality, fresh and entertaining content.

Here is the short version of the CFP:

  • Email your proposed idea for a S4x16 session to s4@digitalbond.com
  • Explain the session in 2 to 3 paragraphs highlighting what is new or novel about the session
  • Identify if it is a Technical Deep Dive Session or Main Stage Session
  • Identify the time requested for the session (15, 30, 45 or 60 minutes)

Also email us any ideas you may have for speakers or topics we should chase for S4x16. We evaluate submissions as they come in, so sending your session idea in early increases the odds it will be accepted. The CFP closes on September 1st.

Book Review: There Will Be Cyberwar

Screen Shot 2015-07-01 at 9.17.37 AMThere Will Be Cyberwar: How The Move To Network-Centric War Fighting Has Set The Stage For Cyberwar by Richard Stiennon

Read this book if you are looking for a summary of the attacks and cyber incidents that have occurred over the past 20 years in government, military, critical infrastructure and business. It also provides numerous concise examples of security controls that are needed to combat the attacks described in the book.

Don’t read this book if your focus is ICS. There is a bit of information on ICS incident, but not enough to justify reading for that purpose and you will find minor problems with the ICS text. Don’t read this book if you are looking primarily for a discussion and analysis of the future of “cyberwar”.

With the exception of the fictional scenario in Chapter 1 most of the book is focused on synopsis of past incidents. It does however convincingly make the case that weapons systems, communication systems and many other elements required to effectively fight a war are now connected to networks, more reliant on software and therefore subject to a cyber attack.

Given the title, There Will Be Cyberwar, and in light of Thomas Rid’s Cyberwar Will Not Take Place it is almost mandatory to see if Richard made his case and why the two authors come to diametrically opposed conclusions.

The answer is actually simple. The two authors have very different definitions for cyberwar. Thomas spent a lot of time defining war and then cyberwar in his book, and he made a convincing case why this definition of cyberwar will not be met. Read the book and listen to my podcast with Thomas to understand this point of view.

Richard has a much less stringent definition of what constitutes cyberwar.

Cyberwar is the use of computer and network attacks to further the goals of a war-fighting apparatus.

Richard has made the case clearly in his book that based on this definition cyberwar will happen and incidents have probably already occurred that would meet this definition.

I’ve heard no dispute that cyber weapons will be used in wartime, just a dispute over the term cyberwar.

A more interesting question is will we see a use of cyber weapons in war that is akin to the Battle of Britain / air warfare? I first heard this question from Jason Healey of the Atlantic Council in a panel discussion. The Battle of Britain proved that air power alone could be used to win a major battle. Will we see a major battle fought entirely in the cyber domain?

Richard also describes what would constitute a Cyber Pearl Harbor in the book.

It is not the destruction of the power grid, or the loss of communications from attacks against the Internet and telecom infrastructure, or even the collapse of the stock market that deservers Panetta’s dire warning. Only a crippling military defeat thanks to overwhelming control of the cyber domain deserves to be labeled a Cyber Pearl Harbor.

I believe the last sentence is a better definition of cyberwar, and perhaps a slightly modified version of the earlier definition is better for cyber weapons. In the end most of the disagreement is definitions, and this is less interesting or important than how cyber weapons will be created, deployed and used as well as defended against.

Note: I read the Kindle version on an iPad Mini 3 Kindle app. The formatting is wrong, but not so wrong to make the book unreadable on that device and still worth the convenience and savings over the print version for me.

S4x15 Video: Attribution and Retribution Panel

S4x15 came on the heals of the attack on Sony. Everyone was discussing how cyber attack attribution can be done and the level of certainty that is possible, so we had a panel to discuss this very issue.

The second part of the panel discussed what does the victim due after they have attributed an attack to a nation or organization —retribution.

The panel included Bill Hagestad of Red Dragon Rising, Jonathan Pollet of Red Tiger, and Tim Yardley of University of Illinois.

Unsolicited Response Podcast: Eric Byres after Tofino

After a long and successful struggle to bring an industrial firewall to market, Eric Byres is leaving Belden and Tofino behind. We shouldn’t call it retirement because I expect that Eric will be contributing in a number of different ways in the next ten years.

I gave Eric a few months to clear his head and then talked with him for this episode of the Unsolicited Response Podcast.

The first 16 minutes of the episode are a retrospective of Tofino. What features were surprisingly effective, what were the biggest challenges and dark times, when will we see Tofino on a chip and more.

After that we talk about bigger questions on the ICSsec community, Eric’s home automation and what he may do next.

S4xJapan Call for Presentations

HankoWe are pleased to announce a return to Tokyo for the S4xJapan event on Friday, November 6th.

S4xJapan will be held again at Academy Hills on the 49th Floor of the Roppongi Hills Mori Building. There will be a fun and novel social event (last year was the Kaspersky KIPS game for the first time in Japanese) with food and drink after the days sessions complete. And then you will be close to the Tokyo nightlife on a Friday night to have some fun with old and new friends in the ICS security community.

The event will be a very full one-day that will cover ICS security, Operations Technology (OT), ICS cyber weapons and related topics.

We are looking for sessions in both English and Japanese (simultaneous translation will be provided).

If you have a session you would like to present or know of a speaker or topic we should chase, send us an email at S4@digitalbond.com.

We will welcome some presentations from overseas experts with new information and techniques. If this is you, please note that PACSEC JP is the following Wednesday and Thursday so you can potentially speak at two events and enjoy some time in Tokyo.

S4x15 Video: Simulating Multiple Substation Failures

This is a great session for power engineers and those involved in substations to watch. It is an extremely technical session by Dr. Chee-Wooi Ten of Michigan Technological University.

The key point is actually easy to understand. The most critical substations to secure may not be the highest voltage substations, and this session provides a set of mathematical equations to perform an impact analysis to identify the most critical substations.

Dr. Ten gets into the modeling and mathematics in significant detail in the video.

S4x15 Video: Power Fingerprinting

We generally do not allow product presentations at S4, but occasionally there is a technology that is novel or potentially important that we make an exception. For example, we had Kaspersky present on their ICS operating system at S4x15.

A second exception was made for Carlos Aguayo Gonzalez of PFP Cybersecurity to present the idea of using Power Fingerprinting to identify changes in PLC or RTU logic or firmware.

I won’t attempt to summarize the technical details; watch the video. It includes a demo of the technology.

However it is interesting that the Power Fingerprinting sensor is in fact not connected to the device it is monitoring. Hello air gap. It also is a potential tool for addressing the supply chain problem.