Observations from the Singapore 2016 ICSS Cyber Security Summit and Implications

April 12, 2016

The Singapore 2016 ICSS Cyber Security Summit had active government and industry participation. There was still a lack of understanding of ICS cyber security where even a major ICS vendor is still talking about security by obscurity. New issues with cyber security of plant safety system were raised.

I gave two presentations at the inaugural Singapore 2016 ICSS Cyber Security Summit (www.singaporeicsscybersec.sg ). Singapore is an industrial and shipping center with some of the largest petrochemical complexes and busiest ports in the world. As a result, Singapore has been a leading center for industrial automation with the major ICS vendors having significant operations in Singapore. Singapore has also been a center of cyber security with BlackHat, RSA, and other major cyber security conferences being held in Singapore. In fact, BlackHat Asia was held in Singapore the week before this conference and yet there were still approximately 100 registrants before the organizers closed registration. To demonstrate the level of Singapore government interest in ICS cyber security, the Conference was opened by the Singapore government’s Deputy Director of the Cyber Security Agency who stayed and participated in the one-day conference.

Enclosed were my observations:

-        Government, end-users, vendors, and system integrators viewed this as an important topic.

Based on the government keynote (and other government meetings while in Singapore), the Singapore government not only takes ICS cyber security seriously, the government has made ICS cyber security a REAL priority.

-        Even though this was an ICS cyber security conference, there were still too many people that viewed cyber security through “IT lenses”. This included security vendors doing scans of control system networks, focus on the HMI often to the exclusion of ICS field devices, etc. In fact, it was mentioned in one of the presentations that an IT vendor doing network scans “torched” a water treatment facility.

-        A senior director from Emerson Process Management stated there are too many layers in the control system for non-ICS experts to understand. I could not believe that in April 2016, a senior representative of a major ICS vendor could still think security-by- obscurity is a defense. He then asked about security tests being faked referring to the Aurora test. I was stunned this person could publicly show such lack of understanding.

-        A major insurance broker gave a presentation about insurance for ICS and why it so important. The presenter mentioned they had risk engineers to determine the level of robustness and also had access to a panel of experts. However, the presenter was not aware without being aware that insurance risk engineers lack ICS cyber security experience. In off-line discussions with the presenter, the presenter mentioned how difficult it was to get Board attention for ICS cyber security. First it was because of the lack of awareness about ICS cyber security. Secondly, because of the lack of known ICS cyber incidents, Boards don’t consider ICS cyber threats to be relevant.

-        Robert Lee gave a presentation on active ICS cyber defense and used the recent Ukrainian cyber attack as an example. Because of the importance of Robert’s presentation, I will be issuing another blog specifically addressing NERC and the US DOE and DHS’s continuing public denial of the importance of the Ukrainian attack. Robert stated very clearly and unambiguously, every single aspect of the Ukrainian hack was repeatable. Two other points Robert made stood out to me. The first was the Ukrainian grid is still being operated manually which is consistent with data I have that it takes a substantial amount of time and effort to return to automated operation after an ICS cyber attack. The second was that a “spike” in obtaining ICS equipment can be an indicator of a possible cyber attack as attackers attempt to learn how to operate the systems. Recently on the SCADASec portal, an “IT security” person asked how he could set up a home ICS cyber security laboratory. Without asking questions about this person’s real identity, SCADASec readers provided a multitude of detailed responses on how to set up the laboratory, what type of ICS equipment would be valuable, and even where to get the ICS equipment cheaply.

-        Given that Singapore is a center of petrochemical plants, there were several presentations on safety systems and security. This is still an open issue with standards such as ISA84 addressing the connection between safety and security in process safety (another area I will address in more detail in another blog). Specifically, IEC 61508 requires the Hazard and Risk Analysis study to identify “reasonable foreseeable malevolent or unauthorized action, constituting a security threat”.  The term “reasonable foreseeable” raises some very important technical, legal, and insurance issues.

-        A demonstration was made showing that clicking on a pdf technical instruction file could trigger an attack on the HMI and PLC. The attack can blind the HMI while taking control of the PLC.

-        I gave a summary of the conference and what I considered to be important items.

  • The current trend of bring your own device (BYOD) could result in allowing use of personal cell phones or tablets for safety integrated systems. What policies would prevent such a dangerous security approach?
  • Why are Facebook, e-mail, and other such applications being allowed on control system networks?
  • Why weren’t there more HazOps and other control system experts at the conference? They are obviously as important as IT security experts.
  • I emphasized DHS’s warnings that control systems, much less safety systems, should NEVER be directly connected to the Internet.
  • Safety systems were originally designed to be stand-alone isolated systems. Yet, vendors are building “integrated” safety where control and safety are being mixed. Making this concern even more relevant is where control, safety, or both are connected to the Internet. The need to isolate the safety systems needs to be rethought especially after Stuxnet demonstrated network-connected safety systems could be bypassed or even made inoperable.
  • Industry needs to have people with attacker skills not just defender skills to better secure ICSs.
  • Do not use the NERC CIPs as a model especially as Singapore is an island with mostly distribution. The NERC CIPs specifically exclude distribution and ALL of the cyber attack vectors used in the Ukrainian hack. Standards such as ISA/IEC-62443 that have been specifically developed for ICS are preferable.

I found the conference to be good venue for needed ICS cyber security discussions between IT and control system personnel. I found the Singapore government to be interested and is taking action. How can the Singapore government approach be emulated elsewhere including the US?

Joe Weiss