tag:blogger.com,1999:blog-7827625714174332679.comments2023-12-18T08:28:12.424-07:00Control System SecurityAndrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-7827625714174332679.post-39961055356069629782018-03-28T16:05:24.691-06:002018-03-28T16:05:24.691-06:00The problem is compounded in small to medium facil...The problem is compounded in small to medium facilities that do not have the resources (time, money and/or expertise) to set up test beds to vet patches. They are reduced to patch and hope or not-patch and hope. In either case 'hope' is not a stong cybrsecurity tool.PJCoylehttps://www.blogger.com/profile/03390039682578324978noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-87901198523391028112018-01-08T21:25:33.986-07:002018-01-08T21:25:33.986-07:00All cyber attacks are information. If we can contr...All cyber attacks are information. If we can control the flow of information into our control systems, we control the flow of attacks. Waterfall customers generally have excellent control over the flow of information into their system. I expect that for the duration of the Meltdown / Spectre emergency, these kinds of sites will physically turn off the flow of all executable files and remote access into important control systems. Control systems protected only by software, and not by hardware flow controls, will have a much harder time of it.Andrew Ginterhttps://www.blogger.com/profile/12985552166665412593noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-33880433762178330352018-01-05T20:23:32.673-07:002018-01-05T20:23:32.673-07:00A good point about the need for extensive testing ...A good point about the need for extensive testing of software and firmware updates in this environment. I am, however, a little concerned about the almost cavaleir dismissal of the problem for systems behind the 'Waterfall perimeter'. It seems to me that hardware bugs like these are going to lead to new and innovative exploits that may not be readily apparent at this time. It seems to me to be too early to declare protection.PJCoylehttps://www.blogger.com/profile/03390039682578324978noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-72553179181648677492012-12-26T09:09:16.794-07:002012-12-26T09:09:16.794-07:00For the foreseeable future, we should expect repor...For the foreseeable future, we should expect reported vulnerability counts to reflect the amount of attention ICS products get, and not reflect anything about the increasing or decreasing quality or security of ICS products and systems.<br />-----------<br />Totally agree. As well as with all post in general. Love reading your blog. <br /><br />Kind regards from Maryna (we met at Idago Falls during the training)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-23553539294372404272012-07-11T09:13:50.500-06:002012-07-11T09:13:50.500-06:00Great post, Andrew.
Your point at the end is almo...Great post, Andrew.<br /><br />Your point at the end is almost identical to a comment I left on the Unicorn post over at Tofino. I see too much attacking and not enough educating and it frustrates me!<br /><br />Thanks for injecting some reason and sanity into the discussion.<br /><br />Pat RussellPatRussellhttps://www.blogger.com/profile/14361140679901388553noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-51901728411623707802011-02-25T06:15:40.540-07:002011-02-25T06:15:40.540-07:00Very comprehensive report the three of you wrote, ...Very comprehensive report the three of you wrote, with lots of usefull info for those interested in protecting industrial control environments. Keep up the good work!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-68365110793873394352011-01-04T23:53:13.889-07:002011-01-04T23:53:13.889-07:00It is also important to remember that the systems ...It is also important to remember that the systems have inherent vulnerabilities, but there are also additional vulnerabilities that are introduced by those responsible for programming/integrating these control systems.Joel Langillhttps://www.blogger.com/profile/13100871638585633131noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-26663442004897902552010-12-23T09:56:05.833-07:002010-12-23T09:56:05.833-07:00Hey PJ, based on your feedback and other feedback ...Hey PJ, based on your feedback and other feedback I'm getting on this post I'm concluding that my disagreement with Mr. Langner is really about his use of the word "advanced." I agree that concepts like the Siemens code injection are going to make their way into more malware and even malware toolkits over time, making them available to less-talented adversaries. Those adversaries will produce malware that targets control systems. I still don't think we will see advanced attacks from script-kiddies or anyone but nation-states though. <br /><br />The problem with more mundane attacks is that while enterprise networks can repel those attacks easily, the average control system is much less well protected than the average enterprise network. So I take your point and Ralph's that these run-of-the-mill copy-cats will turn into a big problem for your average industrial site. Most sites need to take control system security much more seriously than they do.Andrew Ginterhttps://www.blogger.com/profile/12985552166665412593noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-72349632067341085322010-12-23T07:52:50.742-07:002010-12-23T07:52:50.742-07:00Excellent discussion. One question and one observa...Excellent discussion. One question and one observation.<br /><br />Q. Looking at Ralph's disection of stuxnet attack codes, couldn't a talented hacker reverse engineer substantial portions of the code to develop their own Stuxnet-lite?<br /><br />O. I slightly disagree with you observations about criminal enterprises and terrorist attacks on control systems. They wouldn't need to destroy a process like Stuxnet was apparently designed to do. Simply disrupting the process enough to cause quality problems or production delays could be sufficient to their purposes. If a Stuxnet-lite tool kit were available they could cause random changes that could be disruptive.<br /><br />Large enterprises would not be as suspecible to extortion, but many smaller enterprises with limited technical expertise might be. Large enterprises could be susecptable to blackmail however. In the current political climate when environmentalists are trying to politically shut down processes with the most dangerous chemicals (Chlorine, Anhydrous Ammonia, Hydrogen Flouride, etc), having to admit publicly that their control systems had been even ineffectively disrupted by terrorists would be political dynamite.PJCoylehttps://www.blogger.com/profile/03390039682578324978noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-33713307020081534112010-11-04T13:21:17.418-06:002010-11-04T13:21:17.418-06:00I have received feedback on this posting and would...I have received feedback on this posting and would like to clarify a couple of things for the record:<br /><br />- When I said "diode hardware is pretty simple" I meant "simple in concept." In fact, the hardware tends to represent a significant engineering effort, reflecting the requirements for extreme reliability to make retransmissions extremely unlikely, high speed, hardware redundancy, and elimination of hardware-based covert channels.<br /><br />- In the redundant control / enterprise historian scenario, readers should understand that enterprise clients do not see a "copy of the data from the control historian," rather, enterprise clients interact with the enterprise historian. Data from the control historian has been sent via a diode to the enterprise historian, and enterprise clients have the full power of the historian instance on the enterprise network at their disposal to analyze the historical data.<br /><br />- My use of the term "proxy" seems confusing as well. I meant the term in a more abstract sense than readers seem to be interpreting it. I used "proxy" to mean "any piece of software which emulates another server for the purposes of streamlining or securing communications." If you are familiar with web proxies or email proxies or other security technologies called "proxies" which typically run on advanced firewall / unified threat managers, you will know that those proxies are bidirectional. The "proxy" components which I describe as part of diode solutions emulate bidirectionality, but in fact transmit information only in one direction through the diode hardware.<br /><br />For example an OPC proxy on the enterprise end of a diode will accept commands from an enterprise OPC client to poll a device on a regular basis. The proxy however, clearly cannot poll the device on the protected network, because the diode prevents any such commands from reaching the protected network. Instead, the enterprise proxy acknowledges the polling instructions from the OPC client and behaves as if the proxy had polled the device regularly. In fact though, the proxy provides to the enterprise OPC client whatever device data the protected end of the diode sends to the enterprise side of the diode, on whatever schedule the protected end of the diode sends the data.<br /><br />Different vendors have different names for the various components of their solutions. I don't know if any of them use the "proxy" term the way I have tried to use it here to simplify descriptions.<br /><br />As always, feedback like the above is welcome, either as comments here, or in email or voice-to-voice.Andrew Ginterhttps://www.blogger.com/profile/12985552166665412593noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-83866280204606595522010-11-01T11:25:20.220-06:002010-11-01T11:25:20.220-06:00This is a fantastic summary. Not good news by any...This is a fantastic summary. Not good news by any stretch of the imagination, but an extremely helpful/useful/realistic recap. Thanks Andrew !!!Andy Bochmanhttps://www.blogger.com/profile/16597503314698812234noreply@blogger.comtag:blogger.com,1999:blog-7827625714174332679.post-79429941786125652452010-10-21T06:03:54.358-06:002010-10-21T06:03:54.358-06:00This is a great little primer, Andrew, thanks. Lo...This is a great little primer, Andrew, thanks. Looking forward to you connecting the dots in your white paper re: IPS/IDS/other strategies for beginning to tackle something as complicated and thorough as Stuxnet. Folks definitely need a place to start, and as you indicated, current sec stds don't get them there.<br /><br />Andy <br />Smart Grid Security BlogAndy Bochmanhttps://www.blogger.com/profile/16597503314698812234noreply@blogger.com