Digital Bond

For Secure & Robust ICS

DNS Slides and Tools Release

by Leave a Comment

 

Way back at S4xJapan, 2015, Labs did a small research project on DNS domain squatting.  We never thought that it would amount to much in terms of press, but did think that would be a useful talk to spur vendors into action before it was too late. Already we have discovered some very popular ICS vendors where these squat domains are hosting malware; as Dale says, it is only a matter of time before someone gets smart (and nasty), and clones a legitimate vendor website onto a squat domains. The evildoer could host malicious software updates, bad security advice, and possibly even harvest end user credentials.

We revamped the talk slightly for S4xEurope, focusing on a few European vendors who were victims of domain squatting behavior.  We are happy to publish the slides to the talk, which covers not only domain squatting but some old topics of DNS tunneling and zone transfer issues that we’ve seen with some frequency.

We would also like to point out that EnergySec published a paper on one of these issues — DNS tunneling — some time ago.  It is worth reading if you are in the energy sector, as it is a not-uncommon mistake to see on such networks.

In Japan, we hit upon the idea of scouring websites for potentially malicious links. For example, if you are an ICS vendor, perhaps you should look through your support forums for links to homoglyphs of your domain name — it could be evildoers trying to trick your users into downloading some malicious software or firmware.  While our tool is nowhere near perfect, we did write a basic version of such a webcrawler under the unimaginative name TypoScraper.  You can snag a copy from our github ‘scripts’ repository, and do with it as you will.

Image by jenniferboyer

S4x17 Call For Presentations

by Leave a Comment

Today through August 31st the S4x17 Call For Presentations is open. It is the place to present advanced topics in ICS and related fields to an audience will get it.

The process is real simple. Send an email with 2 or 3 paragraphs on your session idea to s4@digitalbond.com. We evaluate session proposals as they come in, so early submission improves your chances of acceptance.

We are expecting 500 attendees for the 3-Stage Event, and we will again focus on creating fun social events for you to spend time with your fellow attendees in Miami Beach in January.

So send us your best now.

S4 Classic Video: Langner’s Stuxnet Deep Dive

by Leave a Comment

Tomorrow we will be officially opening the S4x17 Call For Presentations (CFP), so I thought it would be the perfect time to highlight one of the S4 Classics to show what a S4 Technical Deep Dive looks like. Watch how Ralph goes through the code/logic in detail so you can see the key features of Stuxnet, and yet the key points are understandable without technical expertise and everything is large enough for the audience to see.

I started a new S4 Classics playlist on the S4 YouTube Channel, and this is the first video in that playlist. It received 38K views on Vimeo before we moved it to this new channel.

This video is from S4x12 when we were still in the 60 person case study rooms. The event has grown in many ways since then, but the technical meat has always been a key part of S4.

S4x16 Video: Langner’s Critical Penetration Analysis in Nuclear Power

by 2 Comments

A great 22 minute presentation by Ralph Langner of The Langner Group at S4x16. He provides some very specific examples of a cyber / physical attack on nuclear power plants. For example, a cyber attack on all of the feedwater systems.

What is the key to this type of attack? Studying the design plans, particularly around the last line of defense … the safety systems. Safety systems have not considered malicious cyber attacks, which makes much of the analysis and protection ineffective. He shows how the safety analysis is faulty in the feedwater system example.

Ralph then goes through a three step process that both an attacker and defender should use.

Filed Under: S4

S4xEurope Video: IRONGATE – Technical Deep Dive

by Leave a Comment

We decided to put the IRONGATE video from last week’s S4xEurope out first. There is no new big reveal over the information put out in the FireEye article, but Rob provides a lot of context that makes it easier to understand. He also focuses on unanswered questions and a comparison to Stuxnet.

If this is really a Grad Student Research Project, I would think we would hear who did it in the next couple of weeks. Some of the S4xEurope attendees were going to try to help make contact with the author of PLCSIM.

Here are some highlights of the video:

3:56 Why IRONGATE is interesting from a technical perspective.
6:08 Is the industry numb to this type of release due to naming, hype, process?
8:20 A flow chart showing the major steps of IRONGATE.
14:20 The actual DLL replacement code.
16:20 Record and replay code.
19:25 Comparison and contrast with Stuxnet.

The last ten minutes is Q&A.

S4x16 Keynote Video – General Michael Hayden

by Leave a Comment

General Hayden gave the Day 1 Keynote at S4x16 and really brought it. He had strong and often controversial opinions that were well defended. He pointed out where he disagreed with President Obama, FBI Director Comey and most of Europe. Check it out below or on our new S4 Events YouTube Channel.

Viewing Notes:

After a bit of intro and opening comments, it really gets cooking after the first 7 minutes.

7:44 He is less worried about a “Cyber 911” than Leon Penetta and others

14:06 Disagree with President Obama’s characterization that the Sony attack was cyber vandalism, but he does not have a better description … and he sees that as a problem.

15:20 Shame on us, not shame on China for the OPM hack. If he had the same ability to do this to China as Director NSA he would, and he wouldn’t even need to ask for permission.

17:30 “The government will be permanently ‘late to need’ in providing cyber security”

24:15 A three minute self-described rant on Europe, their “Pathological Government Structure”, and regulation/legislation that goes so far beyond the US Patriot Act.

27:56 General Hayden’s views on Encryption, which are contrary to FBI Director Comey.

29:00 Government is not, and will never be, the main player in cyber security.

34:40 Americans are going to be remember for the Internet like the Romans are remembered for their roads.

Why IRONGATE Is A Big ICS Security Story

by Leave a Comment

We were thrilled to add a session by Rob Caldwell / FireEye to next week’s S4xEurope agenda when we learned in April about the ICS malware they have named IRONGATE. This is the second biggest ICSsec story of the year to date, albeit a distant second from the Ukrainian Power Utility hack.

FireEye published some technical info on IRONGATE today, and I’m really looking forward to the technical deep dive at S4xEurope.

Three reasons why this is an important story, and none of them are this exact malware’s ability to damage real world ICS.

  1. This is the first post-Stuxnet ICS example of a Stuxnet-like man-in-the-middle attack with a record / replay feature so operators do not see what is truly going on. Many predicted that attackers would learn and mimic Stuxnet techniques. They have.
  2. Fingerprinting so it only affects a specific ICS, again like Stuxnet.
  3. IronGate arrived in VirusTotal in 2014. Yes 2014. And it had clear SCADA markers, such as SCADA.exe. How much other malware attacking an ICS is sitting in repositories around the world, or even worse undetected on operational ICS.

The attackers have learned and implemented Stuxnet techniques, but the defenders haven’t really improved the ability to detect malware targeting ICS. We need significant improvement in detection capabilities for ICS integrity attacks.

There will be a lot of speculation on who created this and for what purpose, and it will be just that … speculation. There is no evidence that this is a warning of a significant attack, or that it is not. It could be as innocent as a researcher seeing if proof of concept Stuxnet-cousin malware working in his lab would be detected in VirusTotal. Or it could be a preparatory step in related malware development by a more offensive minded organization.

Step back from that speculation, and think of the implications of the three points highlighted in this article.

S4x16 Video: Billy Rios … Infusion Pump Teardown

by Leave a Comment

Billy Rios of Whitescope gives a classic S4 Technical Deep Dive on a medical device called an Infusion Pump at S4x16 in Miami South Beach. He opens them up, shows the hardware, connections between boards, attack paths, default credentials, rogue firmware upload and more.

Billy goes over three different infusion pumps.

3:00 Hospira PCA

14:40 Hospira PLUM A+

18:10 Hospira SIMBIQ

If time is limited look at Billy’s analysis of the first and third infusion pumps. The Simbiq actually has a CAN Bus.

 

S4x16 Video: Interview with Marty Edwards, Director of ICS-CERT

by Leave a Comment

I had the chance to interview Marty Edwards who leads the ICS cyber security effort at the US Department of Homeland Security (DHS).

The first 6 minutes introduce Marty and clarify what ICS-CERT does (it’s much more than a CERT).

  • 6:50: What are ICS-CERT’s goals / metrics / measures of success?
  • 9:05: What is the purpose of DHS doing ICS assessments? and 13:13 If this assessment program is the best way to make a difference, why wouldn’t you scale it up by a factor of 1000 or more?
  • 17:00 How do you (ICS-CERT) decide what incidents require a response team from DHS to get involved?
  • 22:26 Are most of the incidents ICS-CERT responses to on the corporate network?
  • 26:20 Why is DHS providing free training, assessment, incident response and other services for large companies when a commercial capability exists?
  • 29:20 How well do the higher levels of the US Government, in all branches, understand the ICS cyber security problem?
  • 33:52 A discussion on how ICS-CERT handles the CERT activities.

Basecamp Redux: Siemens S7-1500 PLC Gets French ANSSI Certification

by Leave a Comment

We will have a series of articles coming soon on the new Siemens S7 PLC security features, and I’m pleased to announce that Oliver Narr of Siemens will join representatives from GE, Rockwell Automation and Schneider Electric on our NextGen PLC Security panel at S4xEurope, June 9-10 in Vienna.

Consider this a bit of appetizer as last week Siemens announced their S7-1500 had been certified to meet the short term security requirements for a PLC as written in a French Protection Profile from l’Agence nationale de la sécurité des systèmes d’information (ANSSI). This is not a Protection Profile in the Common Criteria format, but it is the same principle. An organization writes a Security Target indicating how they meet the requirements of the Protection Profile. A third party, in this case Amossys, tests that the Security Target is accurate and complete.

The brief threat model importantly includes “Attacker on the supervision network: the attacker controls a device plugged on the supervision network of the TOE.” So the threat agent is inside the cyber security perimeter.

The amount of detail in the Protection Profile and Security Target is minimal and leaves a number of questions. For example,

Execution mode alteration: the attacker manages to modify the execution mode of the TOE without being authorized (a stop command for instance).

Integrity and authenticity of commands and PLC mode: The TOE must ensure that the execution mode of the TOE can only be modified by authorized users. This implies, in particular, that they are authenticated.

I believe this means that a user, which the Security Target also states “may be a device or a third-party software”, must have authenticated to the PLC before these commands are accepted. This is not the same rigor as authenticating the source and integrity of the command, and it’s potentially vulnerable to spoofing and man-in-the-middle attacks. Which relates to another security claim:

Secure authentication on administration interface: Session tokens are protected against hijack and replay. They have a short lifespan. The identity and the permissions of the user account are systematically checked before any privileged action.

The rigor of the security controls and the rigor of third party analysis is unclear from the documentation, but it may be well specified somewhere I have yet to see.

Still this is a positive step forward as the documents highlight key security controls for a PLC that are met to some degree. Some of the important security requirements in this Protection Profile include:

  • Signed firmware and secure boot
  • Proper handling of malformed input
  • Secure credential and key storage on the PLC

You may have noticed the “short term” in the previous paragraph. There is another Protection Profile with medium term security requirements. This added features such as log and alarm integrity. Hopefully there will be a long term security requirements Protection Profile with an even more rigorous set of controls, particularly around authentication and recovery.

A number of other Level 1 device vendors participated in the Protection Profile development, e.g. Belden, Phoenix Contact, Schneider Electric, so it is likely other certifications will be coming shortly.

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.

Recent Comments