Highlights from the 2014 ICS Cyber Security Conference

Oct. 27, 2014

The highlights from the 2014 ICS Cyber Security Conference can be found at www.icscybersecurityconference.com. Conference presentations and discussions included actual ICS cyber incidents, new ICS cyber vulnerabilities, and new ICS cyber security technologies.

The 14th ICS Cyber Security Conference was held from October 20-23 at the Georgia Tech Hotel and Conference Center in Atlanta. The Conference started in 2002 with this year’s version being the first under the banner of SecurityWeek. Attendees from multiple industries and countries in North America, South America, Europe, Asia, and the Middle East participated in the 2014 ICS Cyber Security Conference. (I deliberately used the term participated not attended because that is what makes the conference so valuable.)

The agenda, photos, and more can be found at www.icscybersecurityconference.com. The presentations are only available to the Conference attendees. Enclosed are some the pertinent discussions:

Monday

-        In a very timely discussion, ISIGHT Partners discussed “Sandworm” and its possible impact on ICSs. The presentation identified possible activity with GE Simplicity and Siemens WinCC systems. Similar to what occurred with Stuxnet, IT security researchers were able to identify the Windows attack but do not know what, or if, there was more including possibly a “warhead” associated with the attack.  This is a major message about the need for closer cooperation between IT researchers and the ICS community.

Tuesday

-        Detailed discussions of two ACTUAL ICS cyber incidents by the end-user organizations affected (ultimate in information sharing).

-        A brief of Project Shine (>2 Million control systems and control system devices directly connected to the Internet). There was discussion of a very recent honeypot where critical infrastructure devices were purchased from e-Bay and connected to the Internet. Within 2 hours, it was being attacked from China even though the device was not yet identified by Shodan.

-        A Russian IT research organization presented the results of ICSCorsair. This was the compromise of the wired HART protocol (the 4-20 milli-amp sensor networks that are input to the controllers) – a vulnerability potentially more significant than Stuxnet.

-        A presentation on the status of ICS cyber security standards and standards that can affect ICSs.

-        Discussions of very interesting new ICS cyber security technologies.

Wednesday

-        Discussion of the Ponemon/Unisys report on critical infrastructure and what is needed to make the follow-up report more relevant to the ICS community. It should be noted the report was briefed to the White House.

-        Discussion of the need to identify the potential consequence of cyber vulnerabilities as many of these devices simply cannot be patched in an expeditious manner.

-        Discussion of how easy it is to hack Distributed Control Systems (DCSs) including some of those that have undergone ICS cyber certification testing.

-        Detailed discussions by DOD on Aurora including data to demonstrate that Aurora exploits a REAL gap in protection of the electric grid. A video of the NEW DOD Aurora test facility was shown validating the gap in protection of the electric grid.

-        A utility discussed why and how it is being used as a test bed for ICS cyber security including Aurora and performing detailed monitoring of the CONTROL SYSTEM networks.

-        Discussions of very interesting new ICS cyber security technologies.

Thursday

-        AFIT (Air Force Institute of Technology) gave a presentation on research activities including development of root kits for PLCs, “DNA” fingerprints of field devices, and the ability to download the latest firmware with malware that wasn’t recognized as such. AFIT also has access to an actual “city” to do testing.

-        The presentation on SPIDERS - DOD secure microgrid program - raised questions about the adequacy of the cyber security being employed.  

-        A large paper company gave a presentation on how they were able to get senior management and Board of Director approval and support for their ICS cyber security program. Yes- it can be done.

-        A presentation on building automation cyber security including what could and couldn’t be scaled.

-        A discussion on how safety was able to get industry buy-in and what steps it would take to get ICS cyber security to the same level.

-        A presentation on cross-industry observations on ICS cyber security assessments which demonstrated that the same weaknesses cross essentially all industries.

-        Further discussions of new cyber security technologies.

 Concluding observations:

-        The status quo with ICS cyber security is not acceptable.

-        Information sharing is missing but needed – this will not be easy.

-        The detailed ICS discussions were new to most of the IT/security attendees.

-        There is too much focus on traditional network vulnerabilities to the exclusion of ICS-specific vulnerabilities – this was very evident with the HART and Aurora discussions.

-        There are some very promising new technologies being developed.

-        The feedback from the event was overwhelmingly positive and planning for the 2015 ICS Cyber Security Conference has already begun.

Joe Weiss