12th ICS Cyber Security Conference observations
The 12th ICS Cyber Security Conference was held at Old Dominion University's Virginia Modeling Analysis and Simulation Center - VMASC October 22-25, 2012. There were approximately 150 attendees from multiple industries, universities, government, vendors, and consultants from the US, South America, Europe, and Asia.
More than half of the session topics this year were new since last year's conference. As with the previous ICS conferences, there were extensive questions and discussions in every session. This conference used the remote capabilities available at VMASC to enable a few speakers to "participate" from places as far away as Europe and Asia. This worked great and people had the opportunity to have live discussions with the remote presenters.
There were still different opinions about what constitutes a cyber incident. The confusion was about the unintentional cyber incidents. One outcome of the conference was to get a better understanding of why understanding and sharing information on unintentional incidents is so important to CIP. ICS cyber incidents caused without intent - ICS failures stemming from the processing, storage or transmission of data - can have disastrous consequences and serve as roadmaps for ICS system hacks.
This was my first conference held at a university rather than at a hotel. From all indications, the conference was very successful with attendees pleased with the support from the university.
A key conference finding was there are few (being generous) technologies that were actually developed for ICS and not "recycled" IT solutions. There was one technology that was discussed that could be a game changer because it improves control system performance and appears not to be susceptible to cyber threats. However, it is still in the R&D phase. Additionally, there is progress being made on device authentication at the protocol level as wells as some chipmakers transferring their know-how to control systems for authenticating end-devices.
An international survey performed for CIGRE identified the lack of cyber understanding by the control and protective relay community. (It did not address Aurora even though it is a protective relay issue).
The conference had the first public discussions of Aurora including what actually happened with the test at INL. I found it disconcerting that more than 5 years after the Aurora test very few of the critical infrastructure attendees understood the technical issues with Aurora and why it actually applied to their facilities. Where else can you go to a cyber security conference and a discussion on power systems engineering takes place? A question was asked why the electric industry should care about every substation since there are so many substations - losing some should not be cause for concern. The answer is that Aurora effectively makes the substation an attacker. Consequently, any unsecured (for Aurora) substation can be a threat to any commercial or industrial facility with Alternating Current (AC) rotating equipment served by that substation including power plants, refineries, ships, hospitals, data centers, etc. Since so few utilities are addressing Aurora, DOD was questioning if they should take matters in their own hands by installing the mitigation at their facilities effectively protecting themselves from their own utilities!
Older cyber vulnerabilities are still threats to ICS including in medical applications.
On the post-conference press call, I was asked what I considered the most important need for ICS cyber security. I believe it is senior management buy-in, i.e. understanding the possibility and consequences of an incident, the talent required to mitigate and prioritizing resources for ICS cyber security.
There are pockets of end-users that are willing share ICS information with their peers in industry. Utility control system engineers from two different utilities discussed their actual recent ICS cyber case histories. In both instances, the cause was unclear making solutions difficult to identify. In one case, the utility lost view and control of the plant and was not able to restore the view even with the vendor on site. In the other, the utility experienced several instances of complete loss of control and view with plants at power!
Another utility discussed their legacy control system cyber security test-bed. The utility made a plea to establish an informal information sharing program to share industry practices. This involves sharing of real information, not literature searches of "solutions".
Information sharing issues:
Anecdotal evidence shows that sharing of forensic cyber-incident information by vendors with their customers is insufficient, ranging all the way from at least one case of withholding information.
There was a discussion of a project using Shodan with selected key words that found more than 500,000 Internet-facing control system devices all the way to device IP addresses. This information was provided to DHS with ICS-CERT recently issuing a notification. The concern was the researcher's liability because they found the actual Internet addresses. An example of the information sharing difficulty is the researcher actually contacted a water utility when he found they had ICSs that were remotely accessible to anyone with an Internet connection. The end-user appeared to not understand the impact and essentially ignored the warning.
An international utility was prepared to share information dealing with a recent cyber security assessment of their nuclear plant control-systems performed by third parties. However, because of a threat by their vendor, they did not present. This decision also affected Ralph Langner's decision not to present. This international utility's assessment and analysis program is more comprehensive than existing US Nuclear Regulatory Commission (NRC) guidance. This raises questions concerning the adequacy of NRC cyber security guidance and therefore the adequacy of cyber security programs of all US nuclear plants. It should be mentioned that NRC attended the conference.
A water utility described a disgruntled insider compromise. It took them a period of time to get the FBI to even respond. When the FBI finally responded, they took the utility's hard drive and the replacement hard drive did not work. It took a number of days to get a hard drive that would work. Fortunately, the utility had mirrored hard drives and was thus able to continue operation despite the loss of the one hard drive.
There were two ICS hacking demonstrations that demonstrated the differences between a knowledgeable attacker and hacker with minimal ICS understanding. The knowledgeable attacker demonstrated how with less than $60 in "Radio Shack" equipment, a Zigbee wireless network can be compromised with loss of control. The second demonstration was by a malware researcher with minimal understanding of ICSs. By simply starting with a vulnerability notification about the technology on which the SCADA system was built, he was able to take control of the vendor's SCADA software.
Surprises (at least for me):
- An attendee mentioned that an international hacker tried to extort a US water utility after obtaining a screen shot of the SCADA HMI.
- A 5th Microsoft zero-day was discovered with Stuxnet.
- Flame was in the wild for more than 6 years before being discovered.
The Conference again provided a valuable venue for information sharing of ICS practices, incident descriptions, and networking. Consequently, the conference will continue in its current format with it being hosted by a university in 2013.