I attended the RSA Conference, BSides Conference, and the German American Business Association (GABA) cyber security meeting in San Francisco the week of February 26th. "SCADA security", critical infrastructure protection, and power grids were on many peoples minds. However, many of those talking about those subjects did not really seem to understand its true issues: their focus was on protecting the control system network's connections to the Internet.
RSA: The RSA conference had every possible track except for one on control systems! There
were a number of vendors offering security solutions aimed at the SCADA market (that's progress). Stuxnet was being discussed by many without understanding the controller aspect. Most of the vendors were using technologies developed for monitoring IT networks and
applying them to the "SCADA" networks. There were very few vendors (none that I found) that were addressing the field controllers.
BSides: Monday February 27th a presentation was made: "SCADA Security: Why is it so hard?"
The presentation was illuminating in that it treated only the HMI part of SCADA systems and essentially considered them a subset of corporate IT. An unfortunate aspect was the discussion of patches. The presentation did not address the unique issues associated with patching
control systems. It made no mention that the operating systems used by many of the major control system vendors are modified versions of Windows for which standard Microsoft patches are not appropriate. There was also no mention of ISA99.06 Patch Management for Industrial Control Systems. The presentation did not address field controllers. In fact, it assumed field devices did not have intelligence and could not be accessed. Both of these assumptions are wrong. There is certainly an opportunity for learning.
GABA: On Tuesday evening February 28th, I attended the German American Business Association (GABA) program: "Cyber-Security: The European and US Approach to a Common Challenge". The speakers were:
Howard Schmidt, Special Assistant to the President, Cyber Security Coordinator at Executive Office of the President, White House
Prof. Dr. Norbert Pohlmann, Chairman TeleTrusT / IT Security Association Germany
Dr. Joerg Borchert, Vice President, Infineon Technologies
Kurt Roemer, Chief Security Strategist, Citrix Systems
Dr. Sandro Gaycken, Institute of Computer Science, Freie Universitaet Berlin, Germany
Highlights were:
- Dr. Gaycken made the point that in Germany government can regulate more forcefully than in the US, and stated in essence that German utilities had addressed cyber security. I found that surprising and doubtful - German utilities may have "addressed" the issue, but as the systems being used are not secure they certainly have not solved it. From first-hand knowledge, German utilities are just as susceptible to control system cyber threats as any others including those in the US.
- Howard Schmidt mentioned that he had issues with the term "attack". Specifically, he didn't feel that a distributed denial of service was necessarily an "attack". I mentioned that most of the control system cyber incidents in my data were not malicious but still caused significant damage. Howard and I agreed that, if the lights go out, there is a problem regardless of whether it was malicious or not.
- I mentioned that "my head hurts from banging it against a wall" in terms of trying to get the
message out about control system cyber security. Howard encouraged me to keep going (it's not his head).
Even though we seem to be making progress on awareness, there certainly is a long way to go to actually understand the subject.
Joe Weiss
