Agenda Precise - 2011 ACS Conference

Industry

  • Current ICS cyber security industry status
  • This is my view of the state-of-the state of ICS cyber security over the past year including a discussion of incidents that either occurred or were identified as being ICS cyber since last year’s ACS Conference.

  • ICS issues with McAfee, Ponemon, and Verizon reports (lack of ICS input)
  • The McAfee, Ponemon, and Verizon data breech reports are used by decision makers. The conclusions in the reports are based on interviews with industry. However, the interviews did not include Operations (ICS users). The discussion includes the relevance of the conclusions and what it will take to include ICS input.

  • Trends from SCADASec and control system vulnerability demonstrations
  • This will provide an overview of SCADASEC, trends seen to-date, and an overview of several projects currently under development including enumerating various SCADA and control systems devices. Following will be a discussion and demonstration of real-time jamming of a Zigbee device (Zigbee is used for Smart Grid meters and control system devices) and discussion of DNP protocol vulnerabilities. Finally a real-time demonstration of robustness testing will be provided in the context of an ICS’s development (vendor) and deployment (asset owner) life cycles. Examples of electrical control devices (smart meters, RTUs, IEDs, etc.) will be used to illustrate a process that results in increased robustness of field ICSs.

  • Domestic utility experience in going beyond NERC CIP
  • All too often, the utility discussions about security revolve around NERC CIP compliance not security. The utility’s Board of Directors directed the utility to protect the interest of the Corporation, customers, employees and other stakeholders from cyber threats. As the Manager of Information Security, to meet this goal, we must go well beyond NERC CIP.

  • ICS cyber security workforce training
  • This presentation will provide a perspective on ICS workforce training particularly focusing on engineering aspects.

  • Managing industrial IT is more than just security; Lessons from the chemical sector
  • Major companies in the chemical sector have been addressing the need for improved industrial control systems security for well over a decade. Non-secure systems are potentially unreliable and perhaps even unsafe systems so safety and reliability are the business imperatives. Our experience has shown us that security is just one aspect of a much larger need to manage the application of IT in an industrial context, and that this cannot be done by either the IT function or Operations alone, or without a close collaboration with solution and technology providers.

  • ICS security decision-making framework
  • There is a need to have a structured approach to making risk decisions on ICS cyber security. This presentation will take a PLC as an example and demonstrate, depending on the risk profile, the different technical approaches that can be used to provide the needed level of security.

  • European Cyber Security on Thermal Power Generation Control Systems
  • State-sponsored cyber activities against ICS (Night Dragon, etc)
  • The ICS community is often unaware of the state-sponsored activities targeting ICSs. This presentation provides insights to actual state-sponsored cyber threats to ICS in the international energy industry as well as an intelligence expert’s perspective on Stuxnet.

    Government

  • Risk issues with ICS cyber security
  • Perry Pederson provides an update on cyber security and licensing at the NRC and then some observations on risk.

  • DHS ICS cyber security status
  • An update from Marty Edwards - Director of Control Systems Security / ICS-CERT - U.S. Department of Homeland Security

  • Navy experience with ICS cyber security
  • The Navy is working on cyber securing their Smart Grid and other facility installations. In doing so, they have developed interesting cyber security approaches that could be applied to the electric utility and other industries.

  • Air Force - Control Systems in the Age of Cyber Warfare
  • Never before were control systems so publicly and aggressively targeted in cyberspace than with the deployment of the Stuxnet cyber weapon. This presentation will focus on the Stuxnet worm, its impact on cyber warfare, and how control systems and the US’s critical infrastructure will have to adapt to both simplistic and advanced cyber weapons.”

  • Legislative status update
  • What is happening on the cyber security front as it applies to ICS

    Hackers/Disclosures

  • IT hacker experience with Siemens controllers and VxWorks
  • Dillon Berensford has identified several significant cyber vulnerabilities with Siemens PLCs. He has talked about them at Black Hat (hacker) conferences. I thought it was important for the ICS community to hear the same presentations and be in a position to ask questions. Additionally, last year, Dillon spoke about VxWorks vulnerabilities at a Black Hat conference. This is a very important subject and needs to be addressed.

  • Panel on investigating an ICS cyber breach
  • If there is an ICS cyber breach, many different organizations will be brought into the investigation. Each will have its own perspectives and needs. This includes law enforcement, IT security, IT forencis, and the ICS organization. This panel will demonstrate the differences in perspectives from these different organizations. As an aside, we did this at the June High Tech Crime Task Force in San Ramon, CA to a largely law enforcement audience and the discussions were very interesting.

  • RTU Testing
  • In January, a device tester asked me about testing control system devices. I arranged for a utility to provide them a control system device (in this case an RTU) to test. The thought was that a VxWorks-based RTU would be too arcane for the IT device tester. Was I ever wrong! Additionally, once the device tester found the vulnerability, there were numerous disclosure issues the vendor had to address. This discussion will explain the utility’s desire for the test, the device tester’s results, and a discussion of the disclosure issues when control system vulnerabilities are found.

  • Advanced Persistent Threats (APT) for ICSs
  • APTs are now a major point of discussion in the IT community. Stuxnet may have been the first APT aimed at an ICS. This discussion focuses on APTs for ICSs and the unique APT differences for ICS.

  • Impacts of following/not following standards when working with networked systems
  • Three different scenarios will demonstrate what happens when appropriate guidance is not followed. The first is the improper insertion of hardware into a network and the lack of controls that would allow a broadcast storm. The second is a generic failing to work with and observe controls around patching and safe practices when using equipment on non protected networks or environments. The third is failure to properly patch, update, and reboot upgraded systems properly and the havoc that can be caused by not using the right tools and systems.

  • Control system incidents that could be caused by cyber attacks
  • The title is simply a place holder for Mike Peters to provide his views. I believe Mike’s perspectives are important for industry to hear.

  • NTSB presentation on San Bruno natural gas pipeline rupture (if report available)
  • If not, natural gas pipeline discussion of new mandates for remote, automated shut-off valves and the cyber implications.

  • Commonalties of San Bruno, Bellingham, and other ICS Cyber Incidents
  • From a control system cyber perspective, San Bruno and Bellingham are eerily similar. Bellingham has aspects similar to the Browns Ferry nuclear Plant Broadcast storm. The 2009 Russian dam failure that killed 75 has similar characteristics as Stuxnet. Marshall and I will discuss the similarities of these and other incidents.

  • Doing the forensics on a complex cyber attack — lessons learned from Stuxnet
  • Last year, well-known IT security experts said that Stuxnet’s target would perhaps never be identified. Weeks later, the target and the attack vectors used were clear — as a result of man-months of forensic efforts. Ralph explains how he and his team approached Stuxnet and focuses on forensic techniques that may be used in similar cases. Special emphasis is put on the question of how to achieve quick results when working against time.

  • Power Plant control systems network compromises in Brazil
  • This is the lessons learned from control systems network compromises from Conficker or Stuxnet in June 2011 with plants using Siemens Step 7 control systems.

    Equipment Issues

  • Experience in Certifying ICS’s and IEC 62443-2-4
  • ICS security certification can enhance security and reliability. This presentation will provide a status of the ICS certification process and lessons learned to date.

  • US/Israel joint effort to secure RTUs
  • The US (TSWG) and Israel (NISA) formed a joint program to demonstrate how to secure an RTU. This presentation was originally given in Israel and I thought it would be of great interest here.

  • ABB perspectives on ICS cyber security
  • President and CEO of ABB Joe Hogan highlighted the growing importance of Cyber Security at the recent Automation and Power World event in Orlando, FL. Within ABB Markus Braendle, Group Head of Cyber Security, leads a global initiative to address these new challenges. He will be presenting ABB’s approach and provide insights into how ABB approaches Cyber Security from an organizational, process and technical perspective.

  • Microsoft perspectives on ICS cyber security
  • Even in the ICS world, Microsoft is a major player with workstations, particularly for HMIs. Microsoft will be providing their perspectives on supporting patch management for ICSs and other ICS needs.

  • SEIM for a water treatment plant
  • Securing Combustion Turbine communication links
  • All combustion turbine vendors use communication links to remotely monitor the combustion turbines for warrantee considerations and also potentially shut them down if needed. Many of these links are insecure and there have been at least two utilities that have inadvertently had their combustion turbines shutdown. This presentation will demonstrate a means to secure these links for several different combustion turbine vendors.

  • Development of independent overview of ICS and additional ICS cyber forensics (Fides)
  • I saw this presentation in Israel and was intrigued and thought it would be of interest here. Fides provides the control network operator an independent overview of the network operational safety and security status, in addition to previously unavailable cyber-forensics capabilities and general event investigation of the data gathered.

  • MODBUS RTU/ASCII Snort is software to retrofit serial based industrial control systems to add Snort intrusion detection and intrusion prevention capabilities.
  • This talk discusses the need for such a system by describing 4 classes of intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. The talk provides details on how Snort rules can detect and prevent such intrusions. Finally, the talk describes the MODBUS RTU/ASCII Snort implementation, provides details on placement of a MODBUS RTU/ASCII Snort host within a control system to maximize intrusion detection and prevention capabilities, and discusses the system’s validation. A demonstration of MODBUS RTU/ASCII Snort will be provided.