Wurldtech’s Industrial Cybersecurity Database Launches

From Bryan Singer at Wurldtech: Wurldtech is launching an applied research project which I think would appeal to folks like yourself. The planned undertaking is the largest study of its kind, examining the cyber security threats and vulnerabilities present in currently deployed control systems.   By leveraging the Achilles platform and technologies from our participating partners unparalleled data on the types, trends, severities and potential impacts of existing control system vulnerabilities will be produced enabling conclusions, such as the most cost-effective mitigation strategies, to be drawn.   The project will provide the participants with an unprecedented level of insight into the robustness of their collective control systems and exacting knowledge for increasing such, with all findings grounded in demonstrable fact.   I’ve attached a one page service brief describing this exciting initiative.  We are signing up 20 partners for this initial round. If you are interested, please let me know soon as the slots are filing up quickly.   Any questions/comments/thoughts can be directed to me or the program lead Mr. Breen Liblong (cc’d on this email).   Best Regards, Bryan L Singer, CISM, CISSP HERE'S THE ATTACHMENT BRYAN REFERRED TO: INDUSTRIAL CYBER SECURITY DATABASE Concerned About The Cyber Risks Of Your Industrial Automation And Process Control Environments? The recent introduction of information technologies such as Windows®, Ethernet® and TCP/IP in industrial control devices has resulted in signicantly less isolation from the outside world. SCADA protocols, particularly those running over transport protocols such as TCP/IP, have vulnerabilities that can be exploited by network hackers or terrorists to cause considerable disruption to critical infrastructure. As highly integrated control systems are relatively new, there is remarkably little data, of any quality, on network security for these industrial devices. The current methodologies for security testing focus on business systems and their dependence on common operating systems such as Windows and UNIX. Similarly, vulnerability reporting such as CERT or BugTraq primarily addresses IT products and is rarely relevant to industrial control products. In order to determine the security robustness of integrated control systems, new testing methodologies were required. PROJECT OVERVIEW Wurldtech Labs, a recognized leader in testing industrial automation devices for security vulnerabilities, is initiating a program to extend Delphi, its comprehensive security vulnerability database for next generation control and safety devices, to include those in active operation. Delphi 2.0 will provide unparalleled insight into the robustness of control systems used by industry including visibility of the actual vulnerabilities present in each. Proven, cost effective mitigation strategies for all classes of detected vulnerabilities will then be made available. Delphi 2.0 will extend the current Delphi device vulnerability taxonomy and data model to further classify vulnerabilities according to the likelihood of occurrence on an operational network. This taxonomy will become the defacto standard for characterizing industrial security vulnerabilities according to their likelihood of occurrence and resulting impact on the reliable operation of the susceptible device. This characterization of severity will also give users the ability to quantify the risk related with each vulnerability, and the cost associated with its mitigation. Delphi 2.0 will be populated using Wurldtech’s proven Achilles Satellite technology and associated test methodologies for comprehensively testing control system devices. Program participants will represent a variety of critical infrastructure sectors, including oil and gas, electrical power generation and distribution, transportation, and water. Wurldtech test engineers will thoroughly examine the devices provided by the participants, and populate Delphi 2.0 with information on all security vulnerabilities discovered by the device tests. Delphi 2.0 will form the core of a comprehensive database that will be continuously expanded and kept up to date, and made available to critical infrastructure asset owners and operators on a subscription fee basis. WHO SHOULD PARTICIPATE? Owners and operators of critical infrastructure operations who have a large number of networked control devices would benefit the most from participation in the Delphi program. Legacy devices are of particular interest as they are commonly the most vulnerable to cyber security exploits, having been developed before security became an important issue with device vendors. Legacy devices are also typically the most poorly characterized with respect to security vulnerabilities, and vendor support to fix weaknesses is frequently not available. Further, large numbers of such devices dramatically increase the risk of single point of failure thus threatening the reliability and availability of the control system. WHAT ARE THE BENEFITS? Comprehensive Assessment of Cyber Security Vulnerabilities Present in Your Critical Assets The Delphi program is the largest scale study to date, based on a broad cross section of devices, and will provide participants with an unprecedented level of insight into the robustness of their collective control systems. Proven Cost-Effective Risk Mitigation Strategies In addition, the program will provide specic methods for increasing security robustness by recommending and demonstrating risk mitigation strategies associated with all security vulnerabilities that have been discovered. Quantitative Modeling of ROI The program results will form the basis for modeling the ROI on security strategies, providing a quantitative measure on the costs associated with reducing the risk to a given level determined by the participant. Comprehensive Analysis of Program Results In addition to receiving detailed results of the security tests on their specific devices, participants receive access to the generalized results of the study, including the data model definition, vulnerability and risk classification schemes, and relative risk by industry. Highest Levels of Confidentiality and Privacy All information provided by the participants, and specific test results arising out of the testing efforts, will be kept confidential by Wurldtech. Any collective information deriving from the program will be sanitized of specific participant information before being shared with other participants or any other third party. This is consistent with Wurldtech Labs practice of the highest level of condentiality and respect for the additional privacy needs of the automation industry. WHAT ARE THE DELIVERABLES? In exchange for participation, participants will receive the following: An analyst report summarizing the vulnerabilities discovered in all devices tested in the program. The report includes: --An analysis of the tests including all patterns or trends relating to vulnerabilities identified; --A risk comparison across industries; --A vulnerability taxonomy and data model (containing attributes such as vulnerability type, probability of occurrence, severity, impact, industry) used to characterize device vulnerabilities; --Security ratings of the submitted devices and the underlying scoring system upon which it is based; --A risk mitigation taxonomy with proven, cost-eective strategies for mitigating the risk associated with each vulnerability; --Midterm and final briefings; --Achilles test results for the specific devices provided by each participant. This is a significant discount from the cost of a standard single Achilles device test; --Subscription at a favorable discount to ongoing information on any new security vulnerabilities discovered subsequent to the program termination. For further inquiries about the Delphi program, please contact the program coordinator: Breen Liblong, Delphi Program Director Tel: (604) 669 6674 | E-mail: bliblong@wurldtech.com