An ICS vendor still in denial

Oct. 26, 2016

The demonstration of hacking the SEL751A not only showed how the system could be hacked and the operator “blinded” but also offered a solution. An SEL conference attendee, under the pretense of asking a question, told the audience the test was rigged to make the relay fail which was not the case.

I will be providing my observations from the 2016 ICS Cyber Security Conference later. However, there was one incident that occurred yesterday (10/25/16) that I want to make public now. MSI performed a demonstration of hacking an SEL751A relay and then taking control of a motor. The choice of the SEL relay was arbitrary because the demonstration was typical of any Intelligent Electronic Device - IED (smart relay). Because of industry’s skepticism of the INL Aurora test, we were very careful to make sure this demonstration was real and relevant. Consequently, the test approach was guided by a very seasoned utility substation expert. The demonstration not only showed how the system could be hacked and the operator “blinded” but also offered a solution. Attendees asked if SEL was informed of this vulnerability. Both MSI and myself contacted SEL. What was very disappointing was an SEL conference attendee, under the pretense of asking a question, told the audience the test was rigged to make the relay fail. This was absolutely not the case!  The next presentation was by Indegy of a vulnerability in the Schneider Modicon PLC software-based simulator. This was a success case as Indegy found the vulnerability, disclosed the vulnerability to Schneider and, Schneider provided a fix in an expedited time frame. Without intending to, the back-to-back presentations illustrated the difference between an ICS vendor and security researcher working together to resolve a vulnerability and an ICS vendor in denial.

Joe Weiss