SINET Security Conference Summary and Observations March 7-8, 2018

I participated in the SINET Security Conference in Mt. View, CA. The agenda can be found at https://www.security-innovation.org/events/silicon/agenda/. It should be evident there were some very important figures in the world of cyber security though there was a lack of control system cyber security expertise. Cyberwire is providing their observations and I will focus on my thoughts as they apply to control systems. I am enclosing a quote from Cyberwire: “with the exception of your own contribution, when the conference talked about the “IOT,” it was almost always taken as synonymous with the consumer IOT. Thus it was all Fitbits and thermostats, refrigerators and coffee pots, not engine governors or programmable logic controllers. They’re very much alive to the IOT, but not to the industrial side of the problem.”

My panel was “ What Are The Emerging And Most Serious Threats Looming On The Horizon?”  Our panel moderator is Brian White, Chief Operating Officer, RedOwl Analytics. Our panelists included Richard Hale, Global Chief Information Security Officer, Sony (was DISA); Tony Cole, VP & Global Government Chief Technology Officer, Attivo Networks (was FireEye); Robert Novy, Deputy Assistant Director, U.S. Secret Service, Office of Investigations; and myself. As is often the case, I was the only one with a focus on control system cyber security.   

My discussions from our panel session included:

- What keeps you up at night? My response was the North Koreans hacking the South Korean nuclear plants and the Iranians aware of the fact we have no security in our process sensors, actuators, and drives. There currently more than 2 million ICS devices already connected to Internet.

- What needs to be done? Understand what you have installed and how it is connected. Colleges need to require all computer science majors take an introductory course in engineering and all engineering students take an introductory class in cyber security. Where cyber security technologies do not exist, use compensating controls such as control system cyber security policies, procedures, architecture. Resilience and recovery are necessary because protection is not enough. If a control system is compromised, there is a good chance it will not continue to operate properly. Control system cyber security is more than just secure coding.

- Should government and industry work together? Government and industry need to work together as DOD knows security whereas industry knows the domain. Both use the same systems from the same vendors so it is a win-win for both.

- What are your thoughts about information sharing? Information sharing of actual control system cyber incidents is vital, not just vulnerabilities and threats. Currently, this information sharing is done by the engineers who want to know who else has been impacted. There is a need for IT security to do the same. All too often, control system cyber incidents occur in unexpected ways where existing incident response, security technologies, etc. are not relevant.

Overall Conference Observations:

- There was minimal ICS cyber security participation. The ICS information that was provided was new, particularly the Purdue Reference Model Level 0,1 issues (process sensors, actuators, and drives) and the impact on industrial clouds from lack of process sensor cyber security. As an interim measure, there is a need to isolate control systems that can’t be secured.

- As noted by Cyberwire, there were discussions on IOT (e.g., fitbits and refrigerators) but not IIOT(e.g., pipelines and power plants). They are different.

- There were many discussions about deception technology. However, there is a question about its relevance for control system applications.

- Most of the damage done by attackers was accomplished not through rare, exotic, and sophisticated attacks using never-before seen zero-days, but rather through social engineering, credential stuffing, and hitting unpatched systems with known exploits. Cyber hygiene was therefore much recommended (as it usually is). This is very relevant to control systems.

- There was a number of discussions devoted to incident response including table top exercises. However, the table tops were for enterprise only even though two of the participants had significant manufacturing operations. This is similar to the discussions at the March 2015 Advisen Conference when control system and plant operations were not involved in table top exercises on incident response even though it affected plant operations.

- One issue that did arise was the confusion of the term “Industrial” Control System – ICS. Some of the organizations said they had manufacturing operations with control systems, but they weren’t industrial control systems. Control system cyber security does not need to involve industrial systems and the term needs to be changed – see https://www.controlglobal.com/blogs/unfettered/control-systems-dont-have-to-be-industrial-and-they-are-used-in-all-types-of-organizations

Joe Weiss