Agenda Precise - 2011 ACS Conference
Industry
This is my view of the state-of-the state of ICS cyber security over the past year including a discussion of incidents that either occurred or were identified as being ICS cyber since last year’s ACS Conference.
The McAfee, Ponemon, and Verizon data breech reports are used by decision makers. The conclusions in the reports are based on interviews with industry. However, the interviews did not include Operations (ICS users). The discussion includes the relevance of the conclusions and what it will take to include ICS input.
This will provide an overview of SCADASEC, trends seen to-date, and an overview of several projects currently under development including enumerating various SCADA and control systems devices. Following will be a discussion and demonstration of real-time jamming of a Zigbee device (Zigbee is used for Smart Grid meters and control system devices) and discussion of DNP protocol vulnerabilities. Finally a real-time demonstration of robustness testing will be provided in the context of an ICS’s development (vendor) and deployment (asset owner) life cycles. Examples of electrical control devices (smart meters, RTUs, IEDs, etc.) will be used to illustrate a process that results in increased robustness of field ICSs.
All too often, the utility discussions about security revolve around NERC CIP compliance not security. The utility’s Board of Directors directed the utility to protect the interest of the Corporation, customers, employees and other stakeholders from cyber threats. As the Manager of Information Security, to meet this goal, we must go well beyond NERC CIP.
This presentation will provide a perspective on ICS workforce training particularly focusing on engineering aspects.
Major companies in the chemical sector have been addressing the need for improved industrial control systems security for well over a decade. Non-secure systems are potentially unreliable and perhaps even unsafe systems so safety and reliability are the business imperatives. Our experience has shown us that security is just one aspect of a much larger need to manage the application of IT in an industrial context, and that this cannot be done by either the IT function or Operations alone, or without a close collaboration with solution and technology providers.
There is a need to have a structured approach to making risk decisions on ICS cyber security. This presentation will take a PLC as an example and demonstrate, depending on the risk profile, the different technical approaches that can be used to provide the needed level of security.
The ICS community is often unaware of the state-sponsored activities targeting ICSs. This presentation provides insights to actual state-sponsored cyber threats to ICS in the international energy industry as well as an intelligence expert’s perspective on Stuxnet.
Government
Perry Pederson provides an update on cyber security and licensing at the NRC and then some observations on risk.
An update from Marty Edwards - Director of Control Systems Security / ICS-CERT - U.S. Department of Homeland Security
The Navy is working on cyber securing their Smart Grid and other facility installations. In doing so, they have developed interesting cyber security approaches that could be applied to the electric utility and other industries.
Never before were control systems so publicly and aggressively targeted in cyberspace than with the deployment of the Stuxnet cyber weapon. This presentation will focus on the Stuxnet worm, its impact on cyber warfare, and how control systems and the US’s critical infrastructure will have to adapt to both simplistic and advanced cyber weapons.”
What is happening on the cyber security front as it applies to ICS
Hackers/Disclosures
Dillon Berensford has identified several significant cyber vulnerabilities with Siemens PLCs. He has talked about them at Black Hat (hacker) conferences. I thought it was important for the ICS community to hear the same presentations and be in a position to ask questions. Additionally, last year, Dillon spoke about VxWorks vulnerabilities at a Black Hat conference. This is a very important subject and needs to be addressed.
If there is an ICS cyber breach, many different organizations will be brought into the investigation. Each will have its own perspectives and needs. This includes law enforcement, IT security, IT forencis, and the ICS organization. This panel will demonstrate the differences in perspectives from these different organizations. As an aside, we did this at the June High Tech Crime Task Force in San Ramon, CA to a largely law enforcement audience and the discussions were very interesting.
In January, a device tester asked me about testing control system devices. I arranged for a utility to provide them a control system device (in this case an RTU) to test. The thought was that a VxWorks-based RTU would be too arcane for the IT device tester. Was I ever wrong! Additionally, once the device tester found the vulnerability, there were numerous disclosure issues the vendor had to address. This discussion will explain the utility’s desire for the test, the device tester’s results, and a discussion of the disclosure issues when control system vulnerabilities are found.
APTs are now a major point of discussion in the IT community. Stuxnet may have been the first APT aimed at an ICS. This discussion focuses on APTs for ICSs and the unique APT differences for ICS.
Three different scenarios will demonstrate what happens when appropriate guidance is not followed. The first is the improper insertion of hardware into a network and the lack of controls that would allow a broadcast storm. The second is a generic failing to work with and observe controls around patching and safe practices when using equipment on non protected networks or environments. The third is failure to properly patch, update, and reboot upgraded systems properly and the havoc that can be caused by not using the right tools and systems.
The title is simply a place holder for Mike Peters to provide his views. I believe Mike’s perspectives are important for industry to hear.
If not, natural gas pipeline discussion of new mandates for remote, automated shut-off valves and the cyber implications.
From a control system cyber perspective, San Bruno and Bellingham are eerily similar. Bellingham has aspects similar to the Browns Ferry nuclear Plant Broadcast storm. The 2009 Russian dam failure that killed 75 has similar characteristics as Stuxnet. Marshall and I will discuss the similarities of these and other incidents.
Last year, well-known IT security experts said that Stuxnet’s target would perhaps never be identified. Weeks later, the target and the attack vectors used were clear — as a result of man-months of forensic efforts. Ralph explains how he and his team approached Stuxnet and focuses on forensic techniques that may be used in similar cases. Special emphasis is put on the question of how to achieve quick results when working against time.
This is the lessons learned from control systems network compromises from Conficker or Stuxnet in June 2011 with plants using Siemens Step 7 control systems.
Equipment Issues
ICS security certification can enhance security and reliability. This presentation will provide a status of the ICS certification process and lessons learned to date.
The US (TSWG) and Israel (NISA) formed a joint program to demonstrate how to secure an RTU. This presentation was originally given in Israel and I thought it would be of great interest here.
President and CEO of ABB Joe Hogan highlighted the growing importance of Cyber Security at the recent Automation and Power World event in Orlando, FL. Within ABB Markus Braendle, Group Head of Cyber Security, leads a global initiative to address these new challenges. He will be presenting ABB’s approach and provide insights into how ABB approaches Cyber Security from an organizational, process and technical perspective.
Even in the ICS world, Microsoft is a major player with workstations, particularly for HMIs. Microsoft will be providing their perspectives on supporting patch management for ICSs and other ICS needs.
All combustion turbine vendors use communication links to remotely monitor the combustion turbines for warrantee considerations and also potentially shut them down if needed. Many of these links are insecure and there have been at least two utilities that have inadvertently had their combustion turbines shutdown. This presentation will demonstrate a means to secure these links for several different combustion turbine vendors.
I saw this presentation in Israel and was intrigued and thought it would be of interest here. Fides provides the control network operator an independent overview of the network operational safety and security status, in addition to previously unavailable cyber-forensics capabilities and general event investigation of the data gathered.
This talk discusses the need for such a system by describing 4 classes of intrusion vulnerabilities (denial of service, command injection, response injection, and system reconnaissance) which can be exploited on MODBUS RTU/ASCII industrial control systems. The talk provides details on how Snort rules can detect and prevent such intrusions. Finally, the talk describes the MODBUS RTU/ASCII Snort implementation, provides details on placement of a MODBUS RTU/ASCII Snort host within a control system to maximize intrusion detection and prevention capabilities, and discusses the system’s validation. A demonstration of MODBUS RTU/ASCII Snort will be provided.