Selected thoughts from 2017 ICS Cyber Security Conference

The 17th ICS Cyber Security Conference was held 10/23-26/17 in Atlanta. The detailed agenda can be found at CyberWire covered the Conference and provided daily commentary -

Enclosed are my thoughts on selected issues:

- This is the largest ICS Cyber Security Conference to date – almost 400 attendees

- I gave my annual State-of-the-State of ICS Cyber Security presentation the morning of the 24th. Ironically early that morning, I received a Linked-in “Like” of my August Defcon presentation on the lack of ICS Level 0,1 cyber security from a Senior Technical Support Engineer from an infrastructure company in IRAN – they know about this gap! There was also a presentation by Fireeye on Iranian threats. The Fireeye presenter was not aware of this communication nor the articles written by an Iranian engineer on Stuxnet and plant safety systems.

- OT (ICS) network monitoring/anomaly detection is coming of age. There were numerous presentations concerning ICS network anomaly detection, IT/OT coordination, and threat intelligence. CyberX gave a presentation of their ICS and IIOT risk report. The data validated what I have been saying for years - ICS networks are vulnerable.

- Discussions on the lack of Level 0,1 cyber security is becoming more prevalent though there is still not a good understanding of what it really means. The Air Force Institute of Technology (AFIT) and SIGA provided the only presentations on Level 0,1 devices BEFORE they become Ethernet packets. (Full disclosure: I am on SIGA’s Technical Advisory Board). The other Level 0,1 presentations only looked at the Ethernet packets (see the blog that addresses this topic- )

- Jake Brodsky gave a presentation on an ICS “bug” in a PLC. Jake didn’t know if it was a bug or a hack - and went to his vendor for support because the controller exhibited an unusual operational response that should not have happened. The gist was the resultant “rapid” timeline to fix the problem - 7 months! The message is that a sophisticated cyber hack on an ICS device may take time to discover and a long time to resolve after initial discovery. However, because of the length of time to resolve the problem, the device may have to be used despite the potential cyber threat.

- Following Jake’s presentation, I had some informal discussions with DOD. DOD has not always received timely support from some of the ICS vendors on ICS cyber-related issues because they haven’t been a “big-enough” customer. Consequently, DOD has been forced to understand the issues on their own. I hope to have a presentation on this topic next year.

- Ben Stirling gave a presentation on an ICS incident at his power plant. The event occurred when a security device, in this case a data diode, was improperly installed leading to a loss of control system logic. The presentation showed the importance of plant and vendor communications.

- We held a panel session on using cyber to manipulate physics and parallels to military operation.  There are many ways to damage equipment by using cyber to inititate unstable reactions. The Aurora vulnerability is one example. Additionally, NERC recently issued a report on forced oscillations which can be initiated by cyber means. These physics reactions can cause either electrical or mechanical instabilities with resultant widespread grid outages and damage to equipment. The second part of the panel was a military response: What happens if President Putin tells President Trump that if doesn’t like what we are doing in Syria he will turn the lights off in New York? Can Russia do that? The answer is we don’t know which is not a very satisfying answer.

- Albert Rooyakkers gave a presentation on the Bedrock system which is secure-by-design and has even addressed EMP immunity. This shows it is possible to develop secure-by-design control systems. (Full disclosure: I am on Bedrock’s Technical Advisory Board)

- There was also a session on the special relationship between the US and UK on ICS cyber security.

- Based on discussions at this year’s Conference with some end-users, it is our intention to have the Conference continue the tradition of having end-users discuss actual ICS cyber incidents they have encountered.

Joe Weiss