Observations and Implications from the 2016 ICS Cyber Security Conference

The 2016 ICS Cyber Security Conference was held October 24-27, 2016 at Georgia Tech in Atlanta. The agenda can be found at www.icscybersecurityconference.com.  Attendees represented multiple world-wide industries, defense, ICS vendors, cyber security vendors, cyber security researchers, consultants, and educators. The keynote was given by Admiral Michael Rogers, the Director of NSA and CyberCommand. This was the first time a sitting head of NSA has addressed an ICS cyber security conference.

There were several themes throughout the conference:

-        The general lack of understanding about Level 0,1 devices

-        This issue of control system incidents not involving network malware (physics issues)

-        The continuing cultural and knowledge gap between ICS and others- IT security, IT forensics, safety, and senior management

-        The continuing lack of universally-accepted definitions, particularly “OT” and cyber incident

-        The continuing lack of ICS cyber security information and incident sharing (no adequate guidance to prevent ICS cyber incidents from recurring)

-        The ability of skilled hackers to compromise ICSs (identification of new ICS zero days)

There were many very good presentations. I have selected the following as they tell a story about the current state of ICS cyber security.

Admiral Rogers gave a short presentation and then answered questions for about 20 minutes. Admiral Rogers addressed many issues specific to control systems including the trade-offs on remote access, the value of air-gapped systems, the need to mitigate risk to an acceptable level, the need to better secure the most critical systems, the need to educate others on ICS cyber security so that management can make better informed risk decisions, and the trade-off between centralized and decentralized systems. Admiral Rogers made a plea for private industry to work with NSA to help identify precursors to cyber attacks as most cyber attacks are not zero days but recurrence of known cyber vulnerabilities.

Admiral Rogers addressed the recent DDOS using IOT botnets which was a first. Admiral Rogers stated that secure control systems need to be designed from the beginning and not utilize “bolt-on” cyber technologies (note that the ExxonMobil speaker said the same). Admiral Rogers stated that currently the biggest threat to control systems are nation-states rather than criminal actors. The Admiral also extensively discussed the need to work with public entities and that NSA is working with DHS and the FBI.

Implications: Admiral Rogers’ presence gives credibility and urgency to the need to address ICS cyber security.

A water utility engineer gave a presentation about a radio frequency interference (RFI) incident with his company’s SCADA system and another company’s SCADA system from more than 100 miles away. Both utilities were using radios at the same frequency with newer, more sensitive radios. The increased sensitivity of the radios led to potential SCADA impacts. The saving grace was that the two SCADA systems used different SCADA protocols preventing the SCADA systems being “confused” and potentially issuing inappropriate commands. This was obviously a cyber incident. When asked if the utility’s IT security group was involved, the response was “why, what could they do”.

Implications: ICS system cyber incidents continue to happen. IT generally doesn’t understand the physical domain which can be a real issue with software-defined radio. The gulf between IT and ICS is still wide.

Mission Secure Incorporated (MSI) performed a demonstration of hacking a typical industry protective relay and then taking control of a motor.  Because of industry’s skepticism of the INL Aurora test, we were very careful to make sure this demonstration was real and relevant. The demonstration showed that Aurora mitigation can not only be defeated, but can actually cause Aurora (or other protective relay cyber issues).Attendees asked if the relay vendor was informed of this vulnerability and the answer was yes. The demonstration not only showed how the system could be hacked and the operator “blinded” but also offered a solution. As a result of the demonstration, a utility has requested and been sent an MSI system for validation purposes.

Implications: Protective relay issues such as Aurora are physics issues, not malware. Consequently, they cannot be found by traditional network monitoring. Since many US nuclear plants are using the relay that was used in this demonstration to prevent Aurora, this becomes a significant safety issue.

Indegy disclosed a vulnerability found in Unity Pro, a Windows-based programming, debugging and operating software for Schneider’s PLCs (see http://www.securityweek.com/ics-networks-risk-due-flaw-schneider-plc-simulator). Unity Pro includes a PLC simulator component that allows users to test applications without the need to connect to the PLC. Indegy has warned that products from other PLC vendors could be affected by similar vulnerabilities and attacks might not be easy to detect.

Implications: The Indegy demonstration showed that “subtle” cyber vulnerabilities continue to exist in PLCs.

CyberX uncovered a critical zero-day vulnerability in a commonly-used industrial firewall. The zero-day is a buffer overflow vulnerability in the firewall's embedded HTTP server. It allows cyber attackers to execute arbitrary code on the device, potentially allowing them to change firewall rules, eavesdrop on network traffic and inject their own malicious packets. Cyber attackers can also exploit weak authentication or vulnerabilities in downstream PLCs to control them and potentially cause cyber-physical damage. CyberX also announced that it has discovered a total of seven zero-day vulnerabilities in commercial PLCs used to control core industrial components such as sensors and relays.

Implications: Industrial firewalls have been employed as a key part of the defense-in-depth strategy for ICS cyber security. This makes continuous monitoring and anomaly detection even more important to quickly detect and respond to unusual and unauthorized activities on ICS networks. This was also part of the findings from the Ukrainian cyber attack.

Alex McEachern of Power Standards Laboratory (PSL) did a hands-on live demonstration of remotely attacking the power supply of an "air-gapped" ICS system, permanently disabling it.  This first-of-kind demonstration, which McEachern has labeled a "Cerberus" attack, can either permanently damage the power supply, or cause a fire or explosion. 

Implications: There are several vectors for access via power line, including: using compromised
protective relays to cycle power (see MSI demonstration); using the webservers embedded in power supplies, UPS, and other ICS components; or using the Bluetooth technology used in electric distribution reclosers.

An insurance panel addressed the knowledge gap between the insurance community and the ICS community. Issues discussed included exclusions including from terrorism and war which can include cyber, as well as the complex interplay among types of policies - cyber security, property & casualty, business interruption and liability – if cyber incidents damage physical assets. Important was the need for insurers to see real risk mitigation to ICS assets as prerequisite to coverage.

Implications: The panel members stated that, because NERC CIP is a baseline, the insurance industry does not give “extra points” for CIP compliance nor is the NIST Cyber Security Framework enough – unless it is really implemented. The insurance industry is looking for something more – a “good story” about an effective cyber risk management program.

Ellen Smith, who was formerly the Chief Operating Officer (COO) of National GridUS, gave a presentation of a senior executives’ view of ICS cyber security. While at National Grid, Ellen was the responsible senior executive for signing NERC CIP documentation. Ellen identified 3 current leadership gaps when it comes to ICS cyber security:

- Cyber risk is not being fully assessed

- A lack of seeing the vulnerabilities of the entire system, not just the network

- A lack of fundamental system and cyber knowledge

Implications: NERC CIP and NEI-0809 compliance does not equal security. Senior executives are responsible for security, compliance, and reliability/safety.  Consequently, they need to understand the interrelationships between security, compliance, and reliability/safety.

Don Bartusiak, the ExxonMobil project manager, gave a presentation on the ExxonMobil advanced control initiative. Don provided an explanation on the myriad needs for the initiative. Specific to this Conference, ExxonMobil recognized that cyber security cannot be a bolt-on solution but must be part of the initial design. Don also made a plea for industry participation in this advanced control initiative with the next meeting being November 15, 2016 in San Francisco.

Implications: As Admiral Rogers stated, the existing control system cyber security approach of bolting on security is not acceptable.

The Idaho National Laboratory (INL) gave a detailed presentation on the Ukrainian cyber hack and why it was relevant to US utilities.

Implications: The statements made by NERC, DOE, and DHS concerning cyber cannot cause equipment damage and the Ukrainian cyber attack are suspect at best.

Safety and security are related but not the same. There were several sessions devoted to how to better coordinate these two critically important issues. There were discussions about the use of integrated control and safety for critical safety applications and how that may relate to cyber threats.

Implications: As many ICS components used in safety systems continue to have ICS CERT vulnerability disclosures, there is a need to discuss their use in safety systems. Additionally, safety covers more than nuclear plant safety and safety instrumented systems in chemical applications. Safety also covers manufacturing applications that can lead to public safety resulting in personal injuries or deaths.

Information sharing on actual ICS cyber incidents begets discussions of new incidents. After discussing several ICS cyber incidents caused by EMI/RFI, I was approached by an end-user that had a similar incident that was not publicly disclosed. Having end-users identify previously unrecognized ICS cyber incidents occurs often after giving example case histories.

Implications: ICS cyber incident are more prevalent than many people believe. However, many of these incidents were not identified as being cyber-related. There needs to be more training for ICS personnel to identify incidents are not being identified cyber-related and when to coordinate with IT security (this was the project I did for the International Atomic Energy Agency, IAEA, in June 2015).

Summary

Admiral Rogers’ presence gives credibility and urgency to the need to address ICS cyber security. The Conference had great presentations and considerable discussions with all conference participants. The Conference continues to demonstrate that a trusted environment can be a viable vehicle for needed information sharing about threats, incidents, vulnerabilities, and solutions.

Joe Weiss