ICS Security Progress Masked by Vulnerability Reports

(This article was originally published on the Findings From the Field blog.)

I just finished looking through two government reports from earlier this year on cyber security vulnerabilities: the DHS Control Systems Security Program (CSSP) Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments and the Idaho National Laboratories (INL) National Security Test Bed (NTSB) Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses. The reports have a lot of similarities and are useful, to a degree. A casual reading of the reports however, suggests that we've made no progress in securing important control systems. This is incorrect - much progress has been made. What we really need to measure ICS security progress is not lists of high-priority vulnerabilities, but rather reports quantifying deviations from best practices and defense-in-depth postures.


Review of Digital Bond Podcast - Ralph Langner Stuxnet Interview

(This article was originally published on the Findings From the Field blog.)

I spent an hour yesterday listening to Dale Peterson's podcast with Ralph Langner about the Stuxnet worm. I've complained in the past that Ralph jumps to conclusions and that his terminology tends to lead others to jump as well. So I was surprised to find the podcast to be a thoughtful discussion of issues surrounding the worm. I still differ with Ralph on several topics, especially speculation as to who will author the next advanced threat targeting control systems. Overall though, the podcast really is worth listening to, especially so for people considering where Stuxnet fits in their risk models. Details follow...


Gartner: Security Lessons Learned from Stuxnet

(This article was originally published on the Findings From the Field blog.)

I had opportunity to read the Gartner Security Lessons Learned from Stuxnet research note a few days ago. The note was encouraging in one sense: Gartner has a lot of influence with corporate decision-makers and it is good to see them covering control system and operations issues. The bulk of the note was useful – advice to take operations security more seriously, to put strong operations security programs in place and so on. But in the end, none of the “lessons learned” seemed drawn from the Stuxnet worm. The lessons seemed drawn from run-of-the-mill botnet threats that most businesses face every day, rather than from recent targeted threats, or the worm many describe as “the most sophisticated malware ever.”


Security Basics: Secure Application Design

(This article was originally published on the Findings From the Field blog.)

Siemens received a lot of criticism when people learned that the Stuxnet worm used a hard-coded password to access WinCC databases remotely and compromise them. Some of the criticism was justified, and some was not. In this posting we explore what a secure application looks like, especially control system type applications with intensive server/server communications, and requirements for unattended reboot.


Cyber Cold War Predictions

(This article was originally published on the Findings From the Field blog.)

Kevin Haley at Symantec has just published his predictions for computer security in 2011. He mentions Stuxnet many times and mentions “cyber warfare” in passing. Many others have heralded 2010 as the beginning of a new era of cyber warfare. I think that if the 2009 Ghostnet and Aurora attacks and the 2010 Stuxnet attack represent a new “cyber warfare” then such warfare has more in common with the cold war era than with a conventional conflict.

My own predictions for 2011 and 2012 follow. In summary, all I’m really saying is that “the cold war will continue.” That seems a pretty safe bet given how long the first cold war lasted. Thinking of the events of 2009-2010 as a cold war, though, does help to answer key questions like: When will we see new, sophisticated attacks? Who will be targeted? And how do we protect important civilian infrastructure from these kinds of attacks?


Disclosure in an Era of Cyber Warfare

(This article was originally published on the Findings From the Field blog.)

Symantec reports that the Stuxnet worm targets PLC’s which control high frequency, frequency-converting power supplies. Such drives are export-controlled in the United States because they can be used as components in gas-centrifuge uranium enrichment processes. Symantec stops short of identifying Iran’s Natanz uranium enrichment facility as the target of the worm, but the information they supply is suggestive of that target. This begs the question: if the objective of the worm was to prevent Iran from developing nuclear weapons, was wise to give the worm all of the publicity it received?


Stuxnet Report Updates

(This article was originally published on the Findings From the Field blog.)

Last week ESET updated their Stuxnet Under the Microscope report, and Symantec updated their W32.Stuxnet Dossier. Important changes: the Symantec dossier includes a description of how to identify compromised PLC’s, and the ESET report describes the still-unpatched Task Scheduler vulnerability in enough detail to exploit it. The ESET disclosure is surprising – usually such descriptions are reserved until a patch is available for the exploit.


Security Basics: One-way Diodes

(This article was originally published on the Findings From the Field blog.)

The Owl Computing Technologies presentation at the ICSJWG 2010 Fall Conference caught my eye. Owl has been showing up at more conferences lately, providing some competition for the incumbent industrial diode leader Waterfall Security Solutions. The question I had when I first heard of this kind of technology is “when would you use that?” The concept behind the diodes is simple: the diode hardware allows communication in only one direction. A diode can push data from one place to another, but it is incapable of sending any information back. How can this be useful in a world full of two-way communications protocols?

Security Basics: Jump Boxes

(This article was originally published on the Findings From the Field blog.)

The initial ballot on proposed revisions to NERC-CIP 005-4 is complete and the results and comments have been posted. Votes for the negative carried the day. I hope the proposed changes can be salvaged because they do have value. The revisions would require sites to use a “remote access server” or more succinctly, a “jump box” to provide access to critical assets inside an electronic security perimeter. The measures, described in more detail in a Draft Guidance Document, are intended to address serious problems with remote access mechanisms observed at NERC-CIP sites. Industrial Defender security assessors report that they agree with NERC – they also see weak and misconfigured remote access mechanisms routinely, issues that the proposed regulations should help address.


2010 ICSJWG Fall Conference

(This article was first published on the Digital Bond blog.)

Here are what I thought were the highlights of the DHS ICSJWG fall conference, in addition the opportunity to talk to many ICS security experts:
  • The Tuesday afternoon Stuxnet sessions – excellent presentations from ICS-CERT, Microsoft, Siemens and Industrial Defender. There was not much new in the presentations, but they did a great job of pulling together everything that was published in many different places over the last several months. 


Failures of Common Wisdom

(This article was first published on the Digital Bond blog.)

In preparing a paper on what steps sites can take to protect against sophisticated threats like the Stuxnet worm, it occurred to me that I had not recommended any of the steps that enterprise IT people consider “common wisdom.” I did not recommend these measures because they would have made little difference to the progress of the Stuxnet worm during the six months or so – January through July of 2010 – that the mature version of the worm circulated without detection.


SSL vs IPSEC Virtual Private Networks

Remote Site and Equipment magazine just published an article I submitted while I was still at Industrial Defender. The article contrasts IPSEC with SSL virtual private networks, and explores how well each meets the needs of providing access to remote sites like substations, pumping stations and compressor stations. The article also touches on a security problem endemic to "web-proxy SSL VPNs" and explains when and why to avoid that one variant of SSL VPN technology.


Security Basics: Network Intrusion Detection Systems

I am working on an updated whitepaper on the Stuxnet worm, and am asking myself how regulations like NERC-CIP and the DHS Risk-Based Performance Standards Guidance for CFATS can be strengthened to address threats like Stuxnet. One conclusion I'm reaching is that neither regulation requires much in the way of intrusion detection. Yes, they require logging of unsuccessful access attempts in a number of contexts, but this really is a poor substitute for an intrusion detection system (IDS). Ideally, an IDS tells you when an adversary has succeeded in compromising host or network protections. Defense-in-depth is predicated on alternating layers of both protection and detection, so that as an adversary works deeper into your systems, an alarm is raised. Detection raises the alarm, protection layers slow down the adversary, buying you time to shut down the attack.


Symantec Stuxnet Dossier

Symantec has published their long-awaited W32.Stuxnet Dossier. The dossier details high-level topics already introduced in the Stuxnet thread in the Symantec blog, and provides a couple of surprises as well.


Welcome to Control System Security

Hello everyone, and welcome to the Control System Security blog. My focus here is industrial control system security news, technologies, practices and experience. My hope is to post information and experience which helps owners and operators improve the security of their facilities. I will also provide coverage of news, attacks, standards developments and other topics which can be essential background for improving technologies and programs.

The blog may seem to be "picking up in the middle of a conversation." That's because I was the principle contributor to the Findings from the Field blog while I was at Industrial Defender. If you would like some of the background posts leading up to where I'm starting here, you may want to check out my postings ending in September 2010 in Findings from the FIeld.

I welcome comments, even dissenting ones. If you have a specific security issue you would like to discuss, but not in public, please feel free to send me mail or give me a call. I am always grateful for an opportunity to understand specific issues that sites are having.