Pre-Conference Tutorials
- "SCADA for Dummies" - This is a two-hour session to introduce control systems and control system protocols to the non-control system user. Specific examples are provided from different industries.
- "IT for Dummies" - This is a two-hour session to introduce IT security concepts to the non-IT security practitioner.
- "Networking for Dummies" - This is a one hour session to introduce networking concepts to those not thoroughly involved with the latest in networking technologies.
- "Encryption for Dummies" - This is a one hour session to introduce concepts such as public-key encryption (PKI), symmetric and asymmetric encryption, hash algorithms, and CRC checksums.
Aurora
Since the 2007 CNN tape on the Aurora test at the Idaho National Laboratory (INL), there have been numerous theories or explanations as to what happened at the INL test, what is Aurora, and how can it be mitigated. As Aurora is still classified as For Official Use Only (FOUO), it has not been easy to get accurate information on Aurora. Aurora is a gap in protection of the electric grid that can damage ROTATING equipment (not just generators) in ANY industry. Aurora is a physical phenomenon. Consequently, it requires physical mitigation. To date, there has not been much movement to implement hardware fixes for Aurora. This is unfortunate because it is not clear if a major turbine failure in an international power plant was an Aurora event. There is at least one utility initiating an Aurora hardware mitigation program. The session will include an explanation of what actually occurred with the INL test (it was NOT "rigged" to destroy the generator); a discussion of some of the more common Aurora myths, and a status of the hardware mitigation project by the utility and DOD. Since there are expected to be regulatory requirements for a hardware mitigation program, the lesson learned should be of great value.
Stuxnet
Two years ago, the Conference had the first public discussions on the Stuxnet impact on the PLCs. Last year, there was a presentation on how 4 lines of code could take control of a PLC. This year, there will be a presentation on arguably, the most comprehensive cyber assessment of any industrial facility - an international nuclear plant. The project was initiated after the utility could not get acceptable answers to potential Stuxnet issues. The results of this assessment are what should be expected - almost all assets were critical; almost all critical assets needed remediation; and some equipment could not be secured. However, these results are different than most assessment results in the US - very few critical assets and very few assets needing remediation. The utility will provide their perspectives on this project.
Approximately two months ago, a paper was published in Control On-line about Stuxnet and AntiVirus. The paper examined all of the major antivirus vendors' latest offerings and had more than 30 references. We will discuss the results of the paper. However, I will not have the author present as he is a control system engineer in IRAN!
Control System Cyber Security Requirements
Control systems are purpose-built, engineered systems. Consequently, cyber security is more than just network security. Some of the most significant control system cyber incidents including those that have ruptured pipelines, caused trains to crash, destroyed hydro facilities, and shut down nuclear plants did not violate IT security policies - they were control system issues. Consequently, a panel of ICS end-user experts from chemicals, water, oil/gas, power, and DOD will discuss what functionality (network and engineering) is required to secure ICSs. This should be a great opportunity for the IT community to question control system experts on actual needs.
Case Histories
This conference is arguably the only one where people that have had their control systems impacted by cyber are willing to share their experiences. The conference employs Chatham House rules - participants are free to use the information received, but neither the identity nor the affiliation of the speaker(s), nor that of any other participant, may be revealed. This is why the open press is not allowed into the conference (a press conference is held Thursday after the conference).
There have been numerous control system cyber incidents that have caused unexpected impacts. Recently, an international power plant suffered what is almost unimaginable - a complete loss of all ICS logic in every DCS processor with the plant at power. The reason there was not major destruction was the plant still utilized hardwired analog safety systems. The root cause is still not clear. The utility will discuss the incident, plant configuration, and other details.
Another power plant lost all view to the process and could not stop or start the process from the consoles. There was no detection of this problem on the OPC server. The control system engineer will provide his perspectives.
There will also be a discussion of several water system compromises.
Cyber Security Policy Discussions
A Director of Security Policy in the National Security Staff of the White House will provide Administration perspectives on ICS cyber security, particularly as it affects surface transportation.
Vytautus Butrimas, Chief Advisor for Cyber Security from the Luthuanian Ministry of National Defence will address the Security/defense implications of ICS cyber security. While most ICS cyber security events are unintentional, the knowledge of vulnerabilities can be used to plan and execute intentional cyber attacks on critical infrastructure. The more they threaten Critical Infrastructure (CI) the more they become an issue for national security. Vytautus will present three proposals for a "way ahead" in international cooperation where Nations, institutions, and willing specialists can work together to manage and reduce the cyber threat to critical infrastructure (and perhaps address those misperceptions and fears that can lead to conflict among states).
Demonstrations of ICS vulnerabilities
more to come....
Joe Weiss
www.icscybersecurityconference.com
