Bandolier: Gold Standard, or Only Half Way There?

Bandolier: Is half way there good enough? I want to specifically respond to Ralph Langer’s comments from my blog post on Severity Levels. Ralph posted, “While I agree in general that severity cannot be established without context, experience tells me that such context can hardly be established by any kind of automated software tool. Even worse, many asset owners don't have any realistic idea, not to say methodology, of calculating the cost of potential cyber incidents. Without having seen the Bandolier product, my guess is that it goes half the way... which is better than nothing, after all.P.S. Why not discuss this stuff over at Digital Bond's?” My response: Being honest, I want to discuss it here, because this is MY turf…and frankly, the Digital Bond folks don’t seem to want to hear it. Let me show you why I feel that way. On Monday I had a phone call with Dale Peterson to determine if he would have been interested in a joint proposal (Digital Bond and Applied Control Solutions) to extend Bandolier to address the control system issues identified in the original blog post. I felt, and I still feel, that Bandolier is useful, but not addressing all the issues it could, and I wanted to help make it an even more useful tool—all that it could be. So you’re right, Ralph. Bandolier “is better than nothing.” But do we want to stop at “better than nothing?” I explained to Dale my concern that Bandolier appeared to be addressing computers and not systems. My concerns were that I thought the Bandolier approach could cost the end users significant money by having to address non-critical systems. Additionally, I thought Bandolier could provide a false sense of security by not addressing the security of the systems and facilities (why are we doing Critical Infrastructure Protection -CIP). Dale’s response was their scope was not the security of the systems. He added that he felt it would be difficult to address the control systems issues but would be happy to use whatever result I could come up with as a plug-in to Bandolier. I can’t help but feel that just because it would be difficult doesn’t mean we shouldn’t be addressing the system security issues, instead of trying to secure systems by securing individual computers. According to Dale, Bandolier is a joint effort by the control system supplier who provides the optimal operating system configuration for their new systems, Digital Bond staff which reviews the configuration, and an end-user (such as TVA). He then mentioned the purpose of Bandolier was to be the “gold standard.” I then asked if the current “gold standard” was NIST SP800-53. Dale said it was the NIST Federal Desktop Core Configuration (FDCC). Remember, the FDCC was developed for desktop operating systems not industrial control systems.  That’s what NIST SP800-53 and ISA99 are trying to do—write a “gold standard” for industrial control systems. So why are we ignoring that work, from people who actually have worked with control systems? If somebody can explain this to me in short simple sentences, maybe I won’t be so confused. I then asked Dale how Bandolier handled old, obsolete operating systems such as Windows NT4 and Windows 95. Dale said Bandolier had no files for these old systems. These older systems are still in use even with many modern DCS upgrades and often cannot be replaced – how can you ignore them??? Remember, companies like ATS (Advanced Technical Services) even still manufacture out-of-date circuit boards for industrial computers and PLCs that are 25 years old, and cannot be taken out of service…but that are networked through serial device servers on the plant floor. These systems will not go away for decades. Why are we ignoring them? I believe the purpose of control system cyber security (CIP) is not to secure a computer, but to secure a system and/or facility. The vulnerability of a computer is important only if it leads to a compromise of a process or facility. To explain why it is so important to secure systems not computers, I will provide two examples. Mark Hadley from DOE’s Pacific Northwest Laboratory (PNNL) and I created a list of myths about control system cyber security. One myth was that firewalls are enough protection. As Mark and others would say, ”firewalls are speed bumps,” particularly if appropriate rule sets are not used. The hacking demonstration performed by Idaho National Lab staff at the 2004 Control System Cyber Security Conference in Idaho Falls traversed MULTIPLE sets of firewalls prior to compromising (opening and closing) the smart relays and operator displays. Another myth is that VPNs secure networks. At the 2007 Conference in Portland, PNNL compromised OPC packets and then used a VPN to camouflage the compromised packets. The result was a compromise of a modern SCADA system (changing voltages) and the operator displays. Both of these examples demonstrate that it’s the system that needs to be secured, not the computer.  Here are my comparisons of what severity really means in the process control system context to what Digital Bond’s Bandolier Project defines severity to be. I hope this can begin to explain the differences: Severe Bandolier -This represents the most serious potential impact to the control system. A check that is non-compliant and has an internal rating of severe generally indicates that the system is at risk unless other specific mitigation measures are in place. Poorly configured directory permissions or network services, for example, can lead to system compromise and would have the severe rating. Examples: - Incorrectly configured permissions on critical system directories such as /etc/passwd - Web server of FTP server with improper user restrictions Control systems – This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for major equipment and/or environmental damage (millions of dollars), and/or extreme physical harm to facilities’ personnel or the public; and/or extreme economic impact (bankruptcy). Example: The Bellingham, WA gasoline pipeline rupture’s impact was 3 killed, $45M damage, and bankruptcy of Olympic Pipeline Company. The National Transportation Safety Board identified the cause as the operator using the operational SCADA system for development work. A Bandolier check would not have identified the problem to this obviously severe event. Moderate Bandolier - This category represents a variety of checks with potential control system security impact. They may not lead to system compromise in themselves, but could aid an attacker or become a more serious problem in the event of some other failure or compromise. Included in this category are items such as unnecessary services, inadequate password strength, insufficient logging, etc. Examples: - Network share that exposes sensitive control system information - Incorrectly configures security event log settings - Weak password requirements such as inadequate length or complexity requirements Control systems – This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for moderate equipment and/or environmental damage (tens of thousands of dollars) with at most some physical harm to facility personnel or the public (no deaths). Examples: – - Maroochy (Australia) wireless hack which caused an environmental spill of moderate economic consequence. I don’t believe this would have identified by a Bandolier check. - Browns Ferry 3 Nuclear Plant Broadcast Storm could have been caused by a bad Programmable Logic Controller (PLC) card, or insufficient bandwidth would not have been detected by Bandolier testing. Informational Bandolier - This category represents checks that may not pose a threat to the system or are simply informational in nature. These will typically identification checks that indicate the role or version of a particular control system application. Example: - Configuration file indicates that the system is serving in a particular role (e.g. historian, real time, etc...) Control systems – This represents failures, omissions, or errors in design, configuration, or implementation of required programs and policies which have the potential for minimal damage or economic impact (less than $10,000) with no physical harm to facility personnel or the public. Example: - Davis Besse Nuclear Plant cyber incident caused by a contractor plugging in a laptop contaminated by the Slammer worm into the plant Safety Parameter Display System. I don’t believe this would have been identified by Bandolier testing. I want to reiterate that ACTUAL control system cyber incidents including Bellingham, Maroochy, Browns Ferry, Hatch, the Florida Outage, etc were not caused by incorrect operating system configurations or operating system vulnerabilities. Neither were many of the other control system cyber incidents in my incident database. Is CIP protection of critical infrastructure or “critical computers”? Why do DOE and DHS continue to fund projects that do not address actual control system cyber incidents that have already occurred? In fact, why don’t they want to know about these incidents, most of which have NOT been reported to government? Why isn’t DOE funding projects like Aurora with solutions to demonstrated control system vulnerabilities? Yes, the Bandolier project is worthwhile. Yes, Ralph, we should be developing automated tools to help us secure control systems. But the Bandolier project is not designed to go all the way to where we should be. Joe Weiss