13^th ICS Cyber Security Conference Highlites and Summary

More than 180 attendees from electric, water, oil/gas, chemicals, transportation, food, manufacturing, governments, and academia attended the 13^th ICS Cyber Security Conference. Attendees were from North America, Europe, Asia, and the Middle East. This is the first year we had to close registration because of seating limitations. We hope to be able to address the seating limitations next year to accommodate more people. As we do not allow taping and I am totally occupied moderating the Conference, the details are skimpy. All of the speakers were very good. I am including what I feel to be the highlites.

 

Monday – see previous blog

 

Tuesday – see previous blog

 

Wednesday

-        Two representatives from the utility test bed provided an overview. The utility senior manager provided the utility’s rationale for why actual security was important, not just compliance. This approach has buy-in through the utility General Manager. The senior manager also provided the rationale for the value of the test bed to the utility, to its customers, and to the industry. Part of what makes the test bed unique is the focus - security as a threat to reliability and not security for the sake of security. The utility OT manager then provided a technical background and status of the test bed ending with the utility is looking for technologies that will improve reliability, safety, productivity and safety. The test bed is also meant to address “people” issues. The utility is typical with having very seasoned (euphemism for older) personnel who were not raised with modern digital technologies and networking as well as younger personnel who have grown up with modern technologies.

-        DOD presented a status of Aurora that included addressing the myths prevailing in industry about what Aurora actually is and some of the details of the 2007 test at INL. The presentation CLEARLY demonstrated that existing substation protective technology is NOT adequate to protect the electric grid and EVERY substation that does not have the Aurora mitigation hardware is vulnerable. DOD also showed a tape of the first new testing on Aurora since the 2007 INL efforts. The new testing is addressing AC induction motors. A question was asked if transformers are vulnerable. There has not been testing to validate that they are, but analysis and a recent non-cyber failure of a generation step-up transformer (effectively sheared in half when the synch check relays were connected out-of-phase) provide a pretty good indication they would be vulnerable. The two utilities working with DOD on the hardware mitigation program each volunteered to say why they thought it was important to participate in this effort.

-        Walt Boyes gave the lunch keynote on security and safety. He pointed out how functional safety evolved and that functional security needs to do the same.

-        Adam Crain provided a discussion on the DNP3 vulnerabilities he and his utility partner have found and his concerns about insecure coding. He also discussed his fuzzing approach and outreach to industry.

-        Project Shine was discussed including the general approach to identifying ICS or ICS support devices connected directly to the Internet (eg, serial port servers, IP-based cameras connected to SCADA, Uninterruptible Power Supplies, etc.). Project Shine has found more than 1,000,000 devices to date including US utility substation devices, dozens of wind farm controls, and even large mining trucks. Because of disclosure issues (eg, legal), the recent discovery of a substation device directly connected to the Internet was not addressed. This is a major issue as it is a DNP slave connected directly to the DNP master (ie, SCADA). This is what Adam Crain has been addressing that could turn this innocuous device into a threat to the regional electric grid. Moreover, it can be a backdoor to allow remote changes to relay setpoints that could cause an Aurora event. I do not believe this is unique to that one utility or that one vendor. This is a situation that is not addressed by the NERC CIPS.

-        Jeffrey Smith from American Axle gave a great presentation about how they have secured (or very significantly improved security) in their factories world-wide.  What I felt was so important is their focus was on productivity and worker safety. Security was simply a threat that needed to be addressed so they could operate safely and efficiently. This is similar to the utility test bed approach.

 

Thursday

Thursday started out with open participant discussion. A major point of discussion was how to get access to the boardroom.  One approach may be through the insurance industry. There were discussions about possibly having a one-day “C-level” meeting sometime during the next Conference.

 

-        Randy Kondor gave a great presentation on OPC. OPC is in most DCS and SCADA workstations making this discussion very important. As with Aurora, there have been many myths about OPC including that DCOM is not secure meaning that OPC Classic is not secure and that Microsoft is discontinuing the use of DCOM. The presentation should have been titled “Demystifying OPC” as neither of the myths is true. Randy mentioned a point that was part of numerous discussions- good software coding and configuration must be secure AND easy to use. Without both, you are asking for problems.

-        Mike Swearingen from TriCounty Electric Coop is a thirty year power systems engineer and manager. He provided his thoughts about why it is important to address security and why Tri-County is participating with DOD in the Aurora hardware mitigation program.

-        Juan Lopez from the Air Force Institute of Technology (AFIT) gave a great presentation on unclassified work AFIT is doing to secure ICSs. Juan said they looking at the soft underbelly of ICS (race to the bottom) which is so refreshing because they are not trying to address the IT issues but the actual control system issues so few “good guys” seem to want to address. I hope we can evaluate some of those technologies in the utility test bed.

-        Anita Pavadore from GTRI gave a great presentation on wireless vulnerabilities including Zigbee and 900 MZ spread spectrum frequency hopping radios used in many electric substations and not addressed by NERC CIP.

-        Finally, the Conference closed with utility test bed OT Manager leading a discussion on OT and IT. There are many discussions about “social engineering” as a negative. What the OT Manager essentially did was use “social engineering” in the positive sense to get buy-in from IT and engineering.

 

 

Overall take-aways

-        There is still a real gap in the thought processes in IT and ICS as well as cultural issues. Hopefully, the Conference can help bridge those gaps.

-        Unfortunately, there are still impediments to disclosure as we found this year and last.

-        There are “islands” of organizations trying to do the right thing. Both the utility test bed and Alliander’s Johan Rambi are looking for solutions.

-        ICS cyber incidents continue to occur and are rarely publicly disclosed. The discussion about the loss of control of a turbine brought out another previously undisclosed incident. When actual control system incidents are discussed, often it begets disclosure of other incidents.

-        Given a trusted environment, people will share information.

 

Joe Weiss