Air Gaps Dead, Network Isolation Making a Comeback

(This article was originally published on the Digital Bond blog.)

Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems.


Security Basics: Social Engineering

(This article was originally published on the Findings From the Field blog.)

Miles McQueen of the University of Idaho & Idaho National Laboratories had an interesting presentation in the Security track at the last ARC World Forum in Orlando some time ago. He talked about work INL had done with their own people to increase awareness of social engineering attacks. He cited pan-cultural research results about people lying as background. The research showed how many people across many cultures believed that the following traits indicated someone was lying:


CIP-002-4 “Bright Line” Secures 163 Plants, Max

(This article was originally published on the Findings From the Field blog.)

In the 2009 statistics, the latest available, NERC tracked some 10,500 generators with a nameplate capacity of 0.1 MW or higher, at about 5700 sites. The new NERC CIP-002 version 4 "bright line" rule says NERC-CIP applies to only those generating sites with "an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection." How many locations/plants is that? According to NERC, only 163 sites have a nameplate generating capability of 1500 MW or greater, and there is no word yet on how many of those plants are exempt because they feed less than 1500 MW into any one interconnection.


Vulnerabilities Not News to Experts

(This article was originally published on the Findings From the Field blog.)

Last week's announcement by Luigi Auriemma of 35 unpatched ICS vulnerabilities is no surprise to SCADA/ICS experts. If anything, the surprise in the list of vulnerabilities is that all of them were implementation flaws rather than the more serious design flaws evident in many products. Most industrial sites maintain that their hardened perimeters are doing a good job of protecting the "soft interior" of their control systems. They are mistaken.

There are enormous numbers of unpatched security vulnerabilities in control system software - most undiscovered and un-announced. Thus far few people are looking for ICS vulnerabilities - there is little profit in finding them. Many who find vulnerabilities use the Coordinated Disclosure process, but there is a large population of skillful investigators who believe strongly in Full Disclosure. Expect a steady dribble of these vulnerability announcements - indefinitely.


Inside-Out Pen-Testing Still Rare

(This article was originally published on the Findings From the Field blog.)

Industrial Defender's penetration testers report that they see "inside-out" penetration testing engagements only rarely. In such engagements, the tester starts from some point on the operations network and attempts to compromise equipment on the enterprise network. More conventional "outside-in" attacks do represent a greater risk to most enterprises, but "inside-out" tests really should be carried out more frequently than they are now.


Advanced Threats and Smart Grid Standards

(This article was originally published on the Findings From the Field blog.)

At the recent Smart Grid Security East conference, I had opportunity to ask two standards gurus about advanced threats and existing security standards. I asked if they felt the evidence to date of advanced threats to control systems warranted changes in security standards. The answer was a qualified "no" from both...


Smart Grid Safety vs Confidentiality

(This article was originally published on the Findings From the Field blog.)

I just returned from Smart Grid Security East. The event featured an impressive set of high-powered government and regulatory speakers and a fair number of vendors as well. Surprisingly, I found the "NERC-CIP Compliance" workshop very useful -- in addition to the usual introductory information, there was insightful discussion between a number of security consultants and former NERC auditors as to how this word or that phrase are being interpreted during audits. The event also crystallized for me an understanding of why I have found the AMI/smart meter security space so confusing for the last little while: IT folks see smart meters as billing appliances. ICS folks, like me, see them as control devices. Security requirements for the two classes of devices are very different. Thus far, the IT interpretation is winning...


Symantec Dossier Updated: v1.4

(This article was originally published on the Findings From the Field blog.)

A week ago, Symantec released the third update to their Stuxnet Dossier, adding sections on chains of infection and on the 417 PLC exploits. The new information is interesting because it suggests new things about the target site and how it was initially infected. Ralph Langner's team has also investigated the S7-417 code and disagrees with Symantec in a number of ways.


How Stuxnet Spreads

Eric Byres, Joel Langill and I have just released a new whitepaper: How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems. The paper details how the worm moves through what appear to be well-protected enterprise, plant and control system networks and firewalls on the way to its objective - the PLCs controlling the physical process. Existing best-practice security measures are shown to be insufficient to the task of deflecting attacks as sophisticated as this one.


McAfee Documents “Night Dragon” APT

(This article was originally published on the Findings From the Field blog.)

McAfee has released a report describing a new Advanced Persistent Threat they dubbed "Night Dragon." The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated "remote administration" toolkits.


Still No Report on Fly-Away Teams

(This article was originally published on the Findings From the Field blog.)

The ICS-CERT has released a 7-page 2010 Year in Review summary. Prominent industrial security commentators Dale Peterson, PJ Coyle and Joel Langill have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for better indications of progress in the field of ICS security. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary.


Compliance Managers Support Forensics

(This article was originally published on the Findings From the Field blog.)

One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post Security Basics: Control System Forensics recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information.


Security Basics: Control System Forensics

(This article was originally published on the Findings From the Field blog.)

Most network administrators recognize the term computer forensics as the discipline of collecting evidence from computers for use in court. What may not be apparent is that computer forensics practices and technologies are also useful tools for general trouble-shooting. Forensic records are detailed enough to identify the cause of intrusions and other causes for litigation. As a result, these records are almost always detailed enough to identify causes of other kinds of problems, from performance anomalies to operator and administrator errors and omissions. But what kinds of real-time forensics are appropriate to deploy on industrial control systems?


CIP-002-4 Is Coming

(This article was originally published on the Findings From the Field blog.)

NERC announced earlier this month that long-debated changes to the NERC CIP-002 standard have passed ballot and are being submitted to the NERC board for approval. The changes introduce a "bright line rule" defining Critical Assets and Critical Cyber Assets. The rule eliminates the discretion NERC entities had in versions 1-3 to define their own risk-based assessment methodologies to identify Critical Assets. The changes should result in a much larger pool of assets being identified as critical and so subject to CIP standards. It remains to be seen though, whether utilities will take this opportunity to strengthen their security programs in light of recent advanced threats to control systems.


Review: Tofinosecurity.com’s Stuxnet Central

(This article was originally published on the Findings From the Field blog.)

The Byres Security Tofinosecurity.com site has a useful page called Stuxnet Central. Some of the materials on the page require that you become a member of the site to access them, but once you have a password, you have access to everything. On Stuxnet Central, Tofinosecurity.com has links to all of their own Stuxnet materials, including a handy list of links to all of the Stuxnet-related Practical SCADA Security blog entries. There are also links to a nice cross-section of external resources, everything from Microsoft's vulnerability reports, to representative articles from the popular press, to detailed technical discussions of the worm. If you are coming up to speed on Stuxnet, or if you have been following along and want to know there is nothing you missed, I can recommend Tofino's Stuxnet Central. If you've never looked through the page in detail, there are a couple of interesting surprises...


Industrial Defender Updates Stuxnet Whitepaper

(This article was originally published on the Findings From the Field blog.)

Industrial Defender has released their updated Stuxnet Whitepaper: The Stuxnet Worm and Defenses for Advanced Threats. You do need to register to access the paper, but once registered you will have access to all of Industrial Defender’s archived papers and webinars. The updated whitepaper assumes you understand control systems, and provides control systems engineers with the information needed to evaluate their security programs in light of advanced threats. The whitepaper uses the Stuxnet example to illustrate how products from the Industrial Defender security suite react to advanced threats. The paper concludes that given the apparent success of recent attacks, it is only reasonable to expect new advanced attacks in the months ahead.