From Bryan Singer at Wurldtech:
Wurldtech is launching an applied research project which I think would appeal to folks like yourself. The planned undertaking is the largest study of its kind, examining the cyber security threats and vulnerabilities present in currently deployed control systems.
By leveraging the Achilles platform and technologies from our participating partners unparalleled data on the types, trends, severities and potential impacts of existing control system vulnerabilities will be produced enabling conclusions, such as the most cost-effective mitigation strategies, to be drawn.
The project will provide the participants with an unprecedented level of insight into the robustness of their collective control systems and exacting knowledge for increasing such, with all findings grounded in demonstrable fact.
I’ve attached a one page service brief describing this exciting initiative. We are signing up 20 partners for this initial round. If you are interested, please let me know soon as the slots are filing up quickly.
Any questions/comments/thoughts can be directed to me or the program lead Mr. Breen Liblong (cc’d on this email).
Best Regards,
Bryan L Singer, CISM, CISSP
HERE'S THE ATTACHMENT BRYAN REFERRED TO:
INDUSTRIAL CYBER SECURITY DATABASEConcerned About The Cyber Risks Of Your Industrial Automation
And Process Control Environments?The recent introduction of information technologies such as Windows®, Ethernet® and TCP/IP in
industrial control devices has resulted in signicantly less isolation from the outside world.
SCADA protocols, particularly those running over transport protocols such as TCP/IP, have
vulnerabilities that can be exploited by network hackers or terrorists to cause considerable
disruption to critical infrastructure.As highly integrated control systems are relatively new, there is remarkably little data, of any
quality, on network security for these industrial devices. The current methodologies for security
testing focus on business systems and their dependence on common operating systems such as
Windows and UNIX. Similarly, vulnerability reporting such as CERT or BugTraq primarily
addresses IT products and is rarely relevant to industrial control products. In order to determine
the security robustness of integrated control systems, new testing methodologies were required.PROJECT OVERVIEW
Wurldtech Labs, a recognized leader in testing industrial automation devices for security
vulnerabilities, is initiating a program to extend Delphi, its comprehensive security vulnerability
database for next generation control and safety devices, to include those in active operation.
Delphi 2.0 will provide unparalleled insight into the robustness of control systems used by
industry including visibility of the actual vulnerabilities present in each. Proven, cost effective
mitigation strategies for all classes of detected vulnerabilities will then be made available.
Delphi 2.0 will extend the current Delphi device vulnerability taxonomy and data model to
further classify vulnerabilities according to the likelihood of occurrence on an operational
network. This taxonomy will become the defacto standard for characterizing industrial security
vulnerabilities according to their likelihood of occurrence and resulting impact on the reliable
operation of the susceptible device. This characterization of severity will also give users the
ability to quantify the risk related with each vulnerability, and the cost associated with its
mitigation.Delphi 2.0 will be populated using Wurldtech’s proven Achilles Satellite technology and
associated test methodologies for comprehensively testing control system devices. Program
participants will represent a variety of critical infrastructure sectors, including oil and gas,
electrical power generation and distribution, transportation, and water. Wurldtech test
engineers will thoroughly examine the devices provided by the participants, and populate
Delphi 2.0 with information on all security vulnerabilities discovered by the device tests.
Delphi 2.0 will form the core of a comprehensive database that will be continuously expanded
and kept up to date, and made available to critical infrastructure asset owners and operators on
a subscription fee basis.WHO SHOULD PARTICIPATE?
Owners and operators of critical infrastructure operations who have a large number of networked control devices would benefit the most from participation in the Delphi program. Legacy devices are of particular interest as they are commonly the most vulnerable to cyber security exploits, having been developed before security became an important issue with device vendors. Legacy devices are also typically the most poorly characterized with respect to security vulnerabilities, and vendor support to fix weaknesses is frequently not available. Further, large numbers of such devices dramatically increase the risk of single point of failure thus threatening the reliability and availability of the control system.WHAT ARE THE BENEFITS?
Comprehensive Assessment of Cyber Security Vulnerabilities Present in Your Critical AssetsThe Delphi program is the largest scale study to date, based on a broad cross section of devices, and will provide participants with an unprecedented level of insight into the robustness of their collective control systems.Proven Cost-Effective Risk Mitigation Strategies
In addition, the program will provide specic methods for increasing security robustness by recommending and demonstrating risk mitigation strategies associated with all security vulnerabilities that have been discovered.Quantitative Modeling of ROI
The program results will form the basis for modeling the ROI on security
strategies, providing a quantitative measure on the costs associated with
reducing the risk to a given level determined by the participant.Comprehensive Analysis of Program Results
In addition to receiving detailed results of the security tests on their
specific devices, participants receive access to the generalized results of
the study, including the data model definition, vulnerability and risk
classification schemes, and relative risk by industry.Highest Levels of Confidentiality and Privacy
All information provided by the participants, and specific test results
arising out of the testing efforts, will be kept confidential by Wurldtech.
Any collective information deriving from the program will be sanitized of
specific participant information before being shared with other
participants or any other third party. This is consistent with Wurldtech Labs
practice of the highest level of condentiality and respect for the
additional privacy needs of the automation industry.WHAT ARE THE DELIVERABLES?
In exchange for participation, participants will receive the following:
An analyst report summarizing the vulnerabilities discovered in all devices
tested in the program. The report includes:--An analysis of the tests including all patterns or trends relating to
vulnerabilities identified;--A risk comparison across industries;--A vulnerability taxonomy and data model (containing attributes such
as vulnerability type, probability of occurrence, severity, impact,
industry) used to characterize device vulnerabilities;--Security ratings of the submitted devices and the underlying scoring
system upon which it is based;--A risk mitigation taxonomy with proven, cost-eective strategies for
mitigating the risk associated with each vulnerability;--Midterm and final briefings;--Achilles test results for the specific devices provided by each
participant. This is a significant discount from the cost of a standard
single Achilles device test;--Subscription at a favorable discount to ongoing information on any
new security vulnerabilities discovered subsequent to the program termination.For further inquiries about the Delphi program, please
contact the program coordinator:
Breen Liblong, Delphi Program Director
Tel: (604) 669 6674 | E-mail: [email protected]
Leaders relevant to this article: