Recently several events coincided that affected ICS cyber security. Ted Koppel released his book on cyber attacks against the electric grid, Congress has been holding hearings on cyber security of the electric grid, President Obama has spoken about the cyber security of the electric grid, the Nuclear Regulatory Commission (NRC) just issued the Final Rule on cyber security event notifications, and the 15th ICS Cyber Security Conference was held October 26-29th in Atlanta.
The Conference showed that ICS cyber security is still a mixed bag. There were many attendees that actually understood ICS cyber security – progress! However, there were still many attendees that understood IT security but not the specific ICS cyber security issues. This was evident in some of the presentations that focused on Windows issues or network packet issues as well as a focus on compliance rather than security. There was also confusion about the relationship between safety and security.
I did not have a chance to hear all of the presentations but there were several presentations that I believe have great significance to understanding cyber security (or lack thereof) in critical infrastructure. These specific presentations address the ease of compromising ICSs, the difficulty in securing them, and the lack of forensics in detecting cyber control system cyber intrusions in all industries.
Ease of compromising ICSs
- Cyberx described a compromise of a modern PLC with no foreknowledge of the device or firmware. (This event was provided to Rockwell who has subsequently issued a patch - http://www.securityweek.com/flaws-rockwell-plcs-expose-operational-networks.) In the attack scenario, the attacker sends an email containing a malicious URL to a technician. The targeted technician might read his emails from a laptop that he also connects to the operational network as part of ongoing daily activities. If the malicious URL is opened when the laptop is connected to the operational network, a malicious JavaScript snippet is executed in the victim’s web browser and any network-accessible PLC that is plagued by the DoS vulnerability freezes. Researchers developed a piece of firmware that uses a special algorithm for searching the firmware code and mapping potentially vulnerable functions. The firmware is uploaded to a test device by bypassing a security mechanism for firmware validation, allowing experts to easily develop working exploits that can later be used against equipment that hasn’t been tampered with. In this case the CRC algorithm was used to upload the compromised firmware. This type of attack is outside the scope of NERC CIP or could be outside the scope of the nuclear plant cyber security standards depending on the designation of the PLC. This type of attack also affects all industries.
- The ICS Cyber Security Conference continues to be the only conference where the Aurora test and hardware mitigation are discussed. The Aurora vulnerability still exists in the electric power grid. Aurora involves the rapid opening and closing of large circuit breakers to isolate a generator from the grid and reconnect it out of phase to the grid. The event is over in 250 milliseconds and can cause catastrophic damage to rotating electric equipment – generators and large electric motors of the utilities and their customers. As Aurora is a physical gap in protection of the electric grid, it can only be remediated by hardware devices. Hardware mitigation exists but has not been deployed broadly. A joint DOD-utility effort presented the results from an 18 months study of one type of mitigation device – a Cooper iGR-933 Rotating Equipment Isolation Device (REID). The results showed that the mitigation device tested operated correctly for the duration of the test period. The REID identified local out-of-phase conditions that occurred but were not sufficiently severe to isolate a generator or electric motor from the grid. The results to date indicate that the Aurora hardware mitigation devices will not cause an impact to the reliability of the grid as suggested by the Dominion Virginia Quanta report. The presentation also identified many of the more “popular” myths about Aurora. Several utility representatives mentioned this was the first time they heard about the actual details of the Aurora test and the technical issues with Aurora even though they have been involved in their utility’s Aurora program for years.
- The cost of Microsoft zero days (previously unknown cyber vulnerabilities) is on the market for >$100,000 each. Yet for ICS, it is possible to get a package of 200 control system cyber vulnerabilities including more than 90 zero days for less than $10,000. Who says it takes a nation-sate to threaten our critical infrastructures?
- Marina Krotofil’s presentation was an engineer’s look at what processes are most critical to the safety of the process and consequently where could cyber do the most damage. Compromising these critical systems doesn’t necessarily involve compromising network packets but does involve understanding how a plant operates and the ICS affecting the operation.
Difficulty in securing ICSs
- The application of authentication and encryption for existing ICS protocols such as DNP3 has turned out to be more difficult than original thought. One of the major issues in securing ICS protocols is the lack of adequate key management strategies. If a key is invalid, what should an automated process do? The concern of an ICS or SCADA with an invalid key can result in reevaluation of how SCADA/ICSs are designed, configured and operated.
- As mentioned, the Cyberx presentation above demonstrates you don’t need foreknowledge to compromise a modern PLC.
Lack of ICS forensics
- A utility provided one of the first public discussions about the results of a cyber red team event (“white hat” attack). This utility took cyber security very seriously all the way to the CEO and was meeting the current NERC CIP requirements. The red team attack was conducted by the state National Guard who went in “blind” (no foreknowledge). The National Guard was able to get into critical locations including ICSs within a very short period of time without going through the firewall or anyone knowing they were there. This brings up many questions including the value of the NERC CIPs and monitoring capabilities if a “reasonable mid-tier adversary” can so easily compromise a “NERC CIP-compliant” utility without being detected.
- Robert Lee discussed several recent events that were identified as “ICS cyber attacks” that actually weren’t cyber attacks. Like the little boy who cried wolf, propagating myths can only hurt the cause of securing ICSs.
- I gave a summary presentation of three (of the more than 50) nuclear plant cyber security incidents in my database. None of these were identified as cyber, yet these three incidents caused substantial impacts. These three incidents also were initiated from systems outside the exiting cyber security scope for nuclear plants. These three (and the other 50+) incidents raise a question about the new NRC requirements on disclosure. The NRC requirements only discuss what happens AFTER discovery as the NRC has assumed that discovery capabilities exist. However, as demonstrated by this presentation, ICS cyber forensics and training may not be capable of making the discovery that nuclear plant incidents could be cyber-related.
Finally, there were several vendor displays that indicated a real path forward by developing technologies that were specific to ICS applications including operational benefits beyond just security. One vendor demonstrated a controller that actually eliminates many of the cyber pathways by the inherent design of their controller.
Joe Weiss