SANS and the urban legend

Yesterday, SANS held a Webcast on “A Practical Approach to Cyber Security within Control System Environments”. The participants included representatives from SANS, Sandia, SRI, MIT Lincoln Labs, and ArcSight. There were several slides of interest as well as the basis for the entire presentation that need to be addressed. The fundamental shortcomings of this entire process are the lack of available cyber data from control systems and the reticence of industry to share information. Specific issues with the presentation include: Slide #3 states: - In 1998, a 12-year-old hacker broke into the computer system that controlled the floodgates of the Theodore Roosevelt Dam in Arizona, according to a June Washington Post report. If the gates had been opened, the article added, walls of water could have flooded the cities of Tempe and Mesa, whose populations total nearly one million. June 2002. Shame on SANS- this is an urban legend. It is not a real case and should be buried accordingly. Slide #5 just happens to go to the heart of what they are trying to address and states: - Poor log management and analysis or even worse – no logs I met with ArcSight two weeks ago and made it clear there is minimal (since I won’t say none) logging capability for cyber events in current control systems. Consequently, what good does it do to have a powerful correlation engine with no data to feed it? Slide #17 Over 1 month period - 620 Security Events Identified - 9,500,000 log entries and alerts These are business LAN firewall numbers, not control system firewall numbers. Numbers of this magnitude wouldn’t be found on an OPERATING control system LAN. Slide #21 Cyber Attack scenario over 20 minutes - 1 Urgent Threat - 130 Legitimate Risks - 960 Security Events Identified - 7,060,000 raw source events Same comment as from Slide#17. Slide#24 DATES Vision - Realtime event correlation system to support local operator identification and response With what data???? - An anonymous and secure peer sharing framework that allows o Sector wide threat intelligence acquisition o Enables rapid collaborative response to emerging threats There is no peer sharing of actual events and the ISACs don’t work for control systems. Slide#36 NERC CIPS Mapped to ISO 17799:2005 Unfortunately ISO 17799 is for IT NOT for control systems! NIST, MITRE, Applied Control Solutions, and a utility member of the NERC CIP Drafting Team performed a line-by-line comparison of the NERC CIPs to NIST SP800-53 which is the valid comparison. The NERC CIPs fell woefully short.