When I held the first ICS cyber security conference in 2002, we had 125 attendees and I couldn’t believe there could be that much interest. I am told there were more than 9,000 people that registered for the March 4-5, 2021 SANS ICS Cyber Security Conference. My, how things have changed.
This was my first time to present at SANS. I found it to be a very interesting conference (I didn’t have a chance to listen to all the presentations). The slides are now available on the SANS site and the recordings should be available soon. Having Anne Neuberger from the White House present demonstrated interest at the highest levels in the government.
SANS arranged for an artist to draw a slide that walks people through my presentation. I thought this was very neat.
My observations from the conference:
- I was happy to see the IEC62443 standards frequently mentioned.
- I was pleasantly surprised when there were no questions about my (NIST) definition of a cyber incident or how I described the differences between OT and Engineering.
- The Purdue reference model as used for cyber security was a point of contention by many. If fact, there were a number of responses stating that discussing/debating the use of the Purdue reference model could almost be its own conference.
- Even though there were presentations on procurement guidelines, there were no discussions of cyber security procurement guidelines for Level 0,1 devices. That is because, to date, there are no procurement guidelines for “legacy” Level 0,1 devices (devices in the field and those currently being manufactured). To be clear, there are requirements for medical devices but they do not address the unique sensor issues.
- In general, there appeared to be a general acceptance that Level 0,1 devices were uncompromised, authenticated, and correct. That is wrong which means that all process sensor input to OT networks are untrusted information. The result is you can't be cyber secure, safe, or resilient if you can't trust what you measure. There is a lack of cyber security in process sensors and other Level 0,1 devices including built-in backdoors for maintenance and calibration. There were questions about the cyber security issues that would arise from these required maintenance activities.
- With some exceptions, there didn’t appear to be much understanding of process safety issues, particularly for Level 0,1 devices. There was interest when I mentioned the ongoing work of the ISA84/99 work on integrating process safety and cyber security.
- From questions on the SANS portal and e-mails following my presentation, the concept that SolarWinds implementing SNMP and that SNMP could affect control systems was new (see https://www.lawfareblog.com/solarwinds-hack-can-directly-affect-control-systems). It wasn’t just the SANS Conference attendees. March 6, 2021 (the day after my SANS presentation), Tara Wheeler from the Harvard Belfer Center and NewAmerica stated: “We should call things by their correct names. SolarWinds was an espionage operation, not an act of war.” (https://www.brookings.edu/techstream/the-danger-in-calling-the-solarwinds-breach-an-act-of-war/). According to Tara, “Cyberwarfare is the use of computers to conduct an operation that is intended to have a kinetic effect, whether that is shutting down power grids, crashing airplanes, denying access to critical communications, attacking military infrastructure, or interrupting hospital operations.” What Tara didn’t address is that SolarWinds can control equipment that can cause kinetic attacks.
- There were numerous discussions of control system cyber vulnerabilities. However, the only discussions of control system cyber incidents were the generally known public incidents such as Stuxnet, the 2015, and 16 Russian cyberattacks of the Ukrainian power grids, and the recent Oldsmar water treatment system hack. Consequently, there were many inquiries about my database of more than 1,300 actual control system cyber incidents. Because my database has many incidents that are confidential (not classified), the database is not public.
- Many talked about how important it was to have engineers participate and the CISO involved. However, I did not hear any discussions about the importance of having the VP Engineering or engineering/Operations management involved.
- I saw very few mentions (only one that I can recall) of Presidential Executive Order 13920 and the hardware backdoors in the Chinese-made electric power transformers. There is no doubt this concern is real as a large electric transformer from China was intercepted at the port of Houston and taken to the Sandia National Laboratory (SNL) for detailed evaluation. There is a utility missing a multi-million-dollar transformer that took about a year to build and install. However, there has been no information provided to US utilities or our closest allies (they have these same transformers) as to what was found at SNL. As there are more than 200 large Chinese-made transformers in the US bulk electric system, this can be an existential threat.(https://www.controlglobal.com/blogs/unfettered/installed-chinese-made-transformers-can-impact-the-grid-today).
It was an impressive conference that thoroughly addressed OT networking issues from many directions. However, cyber security issues associated with Level 0,1 devices were not as adequately understood and addressed.
Joe Weiss
