tag:blogger.com,1999:blog-78276257141743326792023-12-18T08:28:12.765-07:00Control System Security<center>INDUSTRIAL CONTROL SYSTEM / SCADA SECURITY:<br>NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE<br><b><i>Note: Comments in this blog are blocked for any posting 14 days old, or older</i></b></center>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-7827625714174332679.post-83832011308595076572019-03-04T10:32:00.000-07:002019-03-04T10:32:15.267-07:00Secure Operations Technology<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;">
</div>
<br>
<div style="text-align: justify;">
I am pleased to announce the general availability of my new book, <em><a href="https://www.amazon.com/Secure-Operations-Technology-Andrew-Ginter/dp/0995298424/" target="_blank">Secure Operations Technology</a> </em>(SEC-OT).
SEC-OT is a perspective, a methodology and a set of best practices that
document what thoroughly-secured industrial sites actually do. What
these sites do differs sharply from what most industrial sites do.</div>
<div style="text-align: justify;">
<br></div>
<div style="text-align: justify;">
<a href="https://www.amazon.com/Secure-Operations-Technology-Andrew-Ginter/dp/0995298424/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;" target="_blank"><img alt="Secure Operations Technology" class="alignright wp-image-23635 size-medium" height="150" src="https://waterfall-security.com/static/SEC-OT_book_cover-204x300.jpg" style="text-align: justify;" title="" width="102"></a>Most industrial sites practice IT
Security (IT-SEC) whose focus is to “protect the information” – the CIA,
the AIC, the IAC, or the <em>something</em> of the information. The
focus at secure industrial sites though, is protecting the safe,
reliable, continuous and correct operation <em>of the physical, industrial process</em>,
not protecting information. Indeed, secure sites are focused on
precisely the opposite – protecting correct and continuous physical
operations <em>from</em> information, more specifically from cyber attacks that may be embedded in information.</div>
<div style="text-align: justify;">
</div>
<a href="http://controlsystemsecurity.blogspot.com/2019/03/secure-operations-technology.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-44018961701563807892018-12-31T17:11:00.001-07:002019-01-03T07:45:10.806-07:00Defining Control SecurityThis post first appeared on the <a href="https://waterfall-security.com/blog/defining-control-security">Waterfall Security Solutions Blog</a> July, 2018<br>
<i><b></b></i><br>
<center>
<i><b>
<i><b>“The beginning of wisdom is the definition of terms.”</b> </i>– Socrates (470 – 399 B.C.)
</b></i></center>
<br>
Definitions are important – good ones shape our understanding of concepts while poor ones impair that understanding. Consider the definition:<br>
<b><i></i></b><br>
<center>
<b><i>pen: a tube of ink with a tiny ball bearing at the tip</i></b></center>
<br>
How useful is that definition? If we give the definition to a non-English-speaker, would it seem like a word worth remembering? Consider a different definition:<br>
<br>
<a href="http://controlsystemsecurity.blogspot.com/2018/12/defining-control-security.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-87647223368710179652018-03-28T05:17:00.001-06:002018-03-28T05:21:22.206-06:00Total Meltdown<div style="text-align: left;">
The Meltdown / Spectre saga continues. Ulf Frisk just posted a description of a vulnerability he has coined <a href="http://blog.frizk.net/2018/03/total-meltdown.html?m=1"><span style="text-decoration: underline;"><span style="color: navy; text-decoration: underline;">“Total Meltdown”</span></span>.</a> It seems that Microsoft developers introduced an even worse vulnerability while fixing the <span style="text-decoration: underline;"><span style="color: navy;"><a href="https://meltdownattack.com/" style="color: navy; text-decoration: underline;">Meltdown vulnerability</a></span></span>
in Windows 7 and Windows 2008 Server R2. With this broken Meltdown
“fix” installed, any program can read or write any word in any other
program’s memory, or the kernel’s memory for that matter, just by
reaching out and touching – no special tricks required. The cure is
worse than the disease.</div>
<div style="text-align: left;">
<br>
</div><a href="http://controlsystemsecurity.blogspot.com/2018/03/total-meltdown.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com1tag:blogger.com,1999:blog-7827625714174332679.post-56401995937573220692018-01-05T09:50:00.000-07:002018-01-05T09:50:29.196-07:00Protecting Industrial Control Systems from Spectre and MeltdownThe big news today is the Spectre and Meltdown bugs. These vulnerabilities let attack code such as Javascript steal passwords, encryption keys and session cookies from kernel memory and/or browser windows on nearly all modern computers. The performance hits and code changes needed to fix these bugs are extensive. A LOT of costly testing will be needed in the very short term before fixes for Meltdown and Spectre can safely be applied to our ICS/OT/SCADA networks. The only bright spot in this situation is that as usual, Waterfall customers are taking these developments in stride. Properly-designed ICS security programs make it practically impossible for any attack code to reach vulnerable systems. Outside of this community, Spectre and Meltdown will be a major problem.<br>
<br>
<a href="http://controlsystemsecurity.blogspot.com/2018/01/protecting-industrial-control-systems.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com2tag:blogger.com,1999:blog-7827625714174332679.post-78138653160934484182016-12-31T13:06:00.000-07:002016-12-31T13:36:06.413-07:00Control Is Not Data<p><smaller>(First published in the <a href="https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_16/ICSJWG_QNL_December2016_S508C.pdf">DHS ICSJWG Dec/2016 Newsletter</a> as <a href="https://ics-cert.us-cert.gov/sites/default/files/ICSJWG-Archive/QNL_DEC_16/Control%20Is%20Not%20Data%20Ginter_S508C.PDF">Control Is Not Data</a>.)
<p>IT gurus tell us that control system security is essentially the same as IT security, and that both are about "protecting the data." The gurus tell us that, yes, there are two kinds of "data" in control systems - monitoring data and control data - but "data is data." They tell us that all we need to do is protect the CIA, or AIC, or IAC, or something, of the data and we're done - we're secure.
</p><p>
They are wrong.</p></smaller></p><a href="http://controlsystemsecurity.blogspot.com/2016/12/control-is-not-data.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-58008683735338083622016-11-13T09:28:00.002-07:002016-11-13T09:28:34.709-07:00SCADA Security Site Launched<a href="http://www.scada-security.ca">www.scada-security.ca</a> is live. The site is focused on approaches to modern SCADA Security education. One of the things I'm doing at Waterfall Security Solutions, is working with a couple of different universities to add SCADA security content to their undergraduate and graduate programs. As those efforts bear fruit, I will be posting pointers here to different sorts of course content.<p>
</p><a href="http://controlsystemsecurity.blogspot.com/2016/11/scada-security-site-launched.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-18221430303118343722016-11-13T09:24:00.001-07:002016-11-13T09:24:48.854-07:00SCADA Security Published<div class="separator" style="clear: both; text-align: center;"><a href="https://www.amazon.com/SCADA-Security-Whats-Broken-How/dp/0995298408/ref=sr_1_1?ie=UTF8&qid=1477847390&sr=8-1&keywords=scada+security+ginter" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhERUTd0ANG1csjB0dqFgjtVqcUAZI-TlhdNbkumFjG2vSzIdTuLLa2B3RErql5AhHmJfcU6AepTDR3YSh42eIyef0pmCnJIRzLljlRoMEq6okvPWXdn-YrgzQiqlHoe-x9_w74_4xfF4uC/s320/scada-security-book-large.gif" width="123" height="196"></a></div>
My book <a href="https://www.amazon.com/SCADA-Security-Whats-Broken-How/dp/0995298408/ref=sr_1_1?ie=UTF8&qid=1477847390&sr=8-1&keywords=scada+security+ginter">
SCADA Security - What's broken and how to fix it</a> is live on Amazon in soft-cover and Kindle formats. The book's launch was the Waterfall/TDi mingle at the ICSJWG last month, with copies available for all ICSJWG attendees complements of Waterfall Security Solutions.<p>
</p><a href="http://controlsystemsecurity.blogspot.com/2016/11/scada-security-published.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-20923820690974564232016-11-13T09:24:00.000-07:002016-11-13T09:24:29.690-07:00Protecting Critical Infrastructure Published<div class="separator" style="clear: both; text-align: center;"><a href="https://www.amazon.com/Cyber-Physical-Security-Protecting-Critical-Infrastructure/dp/3319328220/ref=sr_1_1?ie=UTF8&qid=1477846430&sr=8-1&keywords=cyber+physical+state+local" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;">
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpYDNVuYkFsi29I-MM1Fw0hFzw9IsYUo3UYwvGm6IgOWvjMMc4tj0h9fTTAMr7r8Df3jWF5oT2WF1GfL1sOnap4G8guV-BR9hMFmZbePbo8XBz03aokHQRc3JWDNDzRe5Cs4aZgnzWvo8w/s200/cyber-physical-security.jpg" width="126" height="200"></a></div>
<a href="https://www.amazon.com/Cyber-Physical-Security-Protecting-Critical-Infrastructure/dp/3319328220/ref=sr_1_1?ie=UTF8&qid=1477846430&sr=8-1&keywords=cyber+physical+state+local">Cyber-Physical Security - Protecting Critical Infrastructure at the State and Local Level</a>
was published recently. I contributed chapter 4 "Cyber Perimeters for Critical Infrastructures." Essential to modern thinking about control system network perimeters is the concept of "trust," "criticality," or "impact" - different authors use different words for the concept.<p>
</p><a href="http://controlsystemsecurity.blogspot.com/2016/11/protecting-critical-infrastructure.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-69047163490959367482012-09-06T12:12:00.000-06:002012-09-06T12:12:18.160-06:00100,000 Vulnerabilities<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.digitalbond.com/2012/09/06/100000-vulnerabilities/" target="_blank" title="Digital Bond - 100,000 Vulnerabilities">Digital Bond</a> blog.)<br>
<br>
The popular press cites an “alarming” statistic from time to time –
the “dramatic” increase in cyber-security vulnerabilities being reported
in industrial control system components. 129 were reported in 2011, vs
only 15 in 2010 and 14 in 2009. Those of us in the industry of course
groan when we read nonsense like this. We know the truth to be rather
more “dramatic.”<br>
<br>
How bad is SCADA security really? Let’s do the math.<br>
</td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2012/09/100000-vulnerabilities.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com1tag:blogger.com,1999:blog-7827625714174332679.post-90326619719564521412012-06-29T13:34:00.000-06:002012-06-29T14:19:13.486-06:00ICS and SCADA Security Myth: Protection by Firewalls<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published in the June, 2012 <a href="http://www.us-cert.gov/control_systems/icsjwg/" target="_blank" title="ICSJWG Newsletter">ICSJWG Quarterly Newsletter</a>.)<br>
<br>
In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is that, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a firewall, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows:<br></td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2012/06/ics-and-scada-security-myth-protection.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com1tag:blogger.com,1999:blog-7827625714174332679.post-7020869862293283572012-05-20T06:42:00.000-06:002012-06-29T13:28:23.550-06:00Project Basecamp: Tempest in a Teapot<table bgcolor="white"><tr><td width="100%">
<div style="text-align: justify;">
I have been thinking about the DHS ICSJWG Spring Conference of a week ago, and the 2-hour debate at the conference on device security and the Digital Bond "Project Basecamp" project that was announced at January's S4 conference. The debate showed there is still resistance to device authentication, but among end users more so than among vendors. I think Jonathan Pollet's comments about this debate echoing the 1990's IT encryption debate are on the mark. That said though, I still think it will take a long time before device authentication becomes commonplace.</div>
</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2012/05/project-basecamp-tempest-in-teapot.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-51236855241169490552011-07-19T15:50:00.000-06:002011-07-19T15:50:45.608-06:00Air Gaps Dead, Network Isolation Making a Comeback<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.digitalbond.com/" target="_blank" title="Digital Bond">Digital Bond</a> blog.)<br>
<br>
Eric Byres recent post claiming the <a href="http://www.tofinosecurity.com/blog/1-ics-and-scada-security-myth-protection-air-gap">#1 ICS and SCADA Security Myth</a> is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems.<br>
</td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/07/air-gaps-dead-network-isolation-making.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-24380742878408787492011-04-17T10:53:00.000-06:002011-04-17T10:53:55.367-06:00 Security Basics: Social Engineering<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
Miles McQueen of the University of Idaho & Idaho National Laboratories had an interesting presentation in the Security track at the last ARC World Forum in Orlando some time ago. He talked about work INL had done with their own people to increase awareness of social engineering attacks. He cited pan-cultural research results about people lying as background. The research showed how many people across many cultures believed that the following traits indicated someone was lying:</td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/04/security-basics-social-engineering.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-4879756220816244772011-04-03T20:02:00.000-06:002011-04-03T20:02:29.025-06:00 CIP-002-4 “Bright Line” Secures 163 Plants, Max<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
In the 2009 statistics, the latest available, NERC tracked some 10,500 generators with a nameplate capacity of 0.1 MW or higher, at about 5700 sites. The new <a href="http://findingsfromthefield.com/?p=697" target="_self" title="Findings From the Field: CIP-002-4 Is Coming">NERC CIP-002 version 4 "bright line" rule</a> says NERC-CIP applies to only those generating sites with "an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection." How many locations/plants is that? According to NERC, only 163 sites have a nameplate generating capability of 1500 MW or greater, and there is no word yet on how many of those plants are exempt because they feed less than 1500 MW into any one interconnection.<br>
</td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/04/cip-002-4-bright-line-secures-163.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-15997918165006486282011-03-26T21:37:00.000-06:002011-03-26T21:37:34.200-06:00 Vulnerabilities Not News to Experts<table bgcolor="white" width=100%><tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
Last week's announcement by Luigi Auriemma of <a title="Bugtraq: Vulnerabilities in some SCADA server softwares" href="http://seclists.org/bugtraq/2011/Mar/187" target="_blank">35 unpatched ICS vulnerabilities</a> is no surprise to SCADA/ICS experts. If anything, the surprise in the list of vulnerabilities is that all of them were implementation flaws rather than the more serious design flaws evident in many products. Most industrial sites maintain that their hardened perimeters are doing a good job of protecting the "soft interior" of their control systems. They are mistaken.<br>
<br>
There are enormous numbers of unpatched security vulnerabilities in control system software - most undiscovered and un-announced. Thus far few people are looking for ICS vulnerabilities - there is little profit in finding them. Many who find vulnerabilities use the <a title="Microsoft: Coordinated Disclosure" href="http://www.microsoft.com/security/msrc/report/disclosure.aspx" target="_blank">Coordinated Disclosure</a> process, but there is a large population of skillful investigators who believe strongly in <a title="Wikipedia: Full Disclosure" href="http://en.wikipedia.org/wiki/Full_disclosure" target="_blank">Full Disclosure</a>. Expect a steady dribble of these vulnerability announcements - indefinitely.</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/03/vulnerabilities-not-news-to-experts.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-83560195927195654852011-03-20T16:14:00.000-06:002011-03-20T16:14:58.352-06:00 Inside-Out Pen-Testing Still Rare<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
Industrial Defender's penetration testers report that they see "inside-out" penetration testing engagements only rarely. In such engagements, the tester starts from some point on the operations network and attempts to compromise equipment on the enterprise network. More conventional "outside-in" attacks do represent a greater risk to most enterprises, but "inside-out" tests really should be carried out more frequently than they are now. </td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/03/inside-out-pen-testing-still-rare.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-3475566633235179302011-03-13T18:39:00.000-06:002011-03-13T18:39:38.410-06:00 Advanced Threats and Smart Grid Standards<table bgcolor="white"><tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
At the recent <a href="http://www.blogger.com/www.smartgridsecurityeast.com" target="_blank" title="Smart Grid Security East">Smart Grid Security East</a> conference, I had opportunity to ask two standards gurus about advanced threats and existing security standards. I asked if they felt the evidence to date of advanced threats to control systems warranted changes in security standards. The answer was a qualified "no" from both... </td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/03/advanced-threats-and-smart-grid.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-61960001138491299562011-03-04T18:16:00.000-07:002011-03-04T18:16:47.880-07:00 Smart Grid Safety vs Confidentiality<table bgcolor="white"><tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
I just returned from <a title="Smart Grid Security East" href="http://www.smartgridsecurityeast.com" target="_blank">Smart Grid Security East</a>. The event featured an impressive set of high-powered government and regulatory speakers and a fair number of vendors as well. Surprisingly, I found the "NERC-CIP Compliance" workshop very useful -- in addition to the usual introductory information, there was insightful discussion between a number of security consultants and former NERC auditors as to how this word or that phrase are being interpreted during audits. The event also crystallized for me an understanding of why I have found the AMI/smart meter security space so confusing for the last little while: IT folks see smart meters as billing appliances. ICS folks, like me, see them as control devices. Security requirements for the two classes of devices are very different. Thus far, the IT interpretation is winning...</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/03/smart-grid-safety-vs-confidentiality.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-90680732780145896742011-02-23T22:12:00.000-07:002011-02-23T22:12:58.343-07:00 Symantec Dossier Updated: v1.4<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
A week ago, Symantec released the third update to their <a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf" target="_blank" title="W32.Stuxnet Dossier v 1.4">Stuxnet Dossier</a>, adding sections on chains of infection and on the 417 PLC exploits. The new information is interesting because it suggests new things about the target site and how it was initially infected. <a href="http://www.langner.com/" target="_blank" title="langner.com">Ralph Langner's team</a> has also investigated the S7-417 code and disagrees with Symantec in a number of ways. </td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/02/symantec-dossier-updated-v14.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-29773749418931400162011-02-22T10:57:00.001-07:002011-03-11T14:09:10.180-07:00 How Stuxnet Spreads<table bgcolor="white" width=100%><tr><td width="100%"><a href="http://www.tofinosecurity.com/">Eric Byres</a>, <a href="http://www.scadahacker.com/">Joel Langill</a> and I have just released a new whitepaper: <a href="http://abterra.ca/papers/How-Stuxnet-Spreads.pdf">How Stuxnet Spreads - A Study of Infection Paths in Best Practice Systems</a>. The paper details how the worm moves through what appear to be well-protected enterprise, plant and control system networks and firewalls on the way to its objective - the PLCs controlling the physical process. Existing best-practice security measures are shown to be insufficient to the task of deflecting attacks as sophisticated as this one.<br>
</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/02/how-stuxnet-spreads.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com1tag:blogger.com,1999:blog-7827625714174332679.post-37946209922580654322011-02-15T22:15:00.000-07:002011-02-15T22:15:31.723-07:00 McAfee Documents “Night Dragon” APT<table bgcolor="white" width=100%><tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
McAfee has <a href="http://www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf" target="_blank" title="Global Energy Attacks: "Night Dragon"">released a report</a> describing a new Advanced Persistent Threat they dubbed "Night Dragon." The attackers were able to take remote control of assets they compromised. In this attack, though, the motive was not sabotage, but the theft of competitive intelligence. What is distressing is that while the adversary behind the attack seems very capable, the technology of the attacks was not very sophisticated. These adversaries were able to take over control system assets and energy-industry infrastructure using fairly unsophisticated "remote administration" toolkits.</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/02/mcafee-documents-night-dragon-apt.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-74178064612802732012011-02-08T13:19:00.000-07:002011-02-08T13:19:22.135-07:00 Still No Report on Fly-Away Teams<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
The <a href="http://www.us-cert.gov/control_systems/ics-cert/" target="_blank" title="Industrial Control System Computer Emergency Response Team">ICS-CERT</a> has released a 7-page <a href="http://www.us-cert.gov/control_systems/pdf/ICS-CERT_2010_yir.pdf" target="_blank" title="ICS-CERT 2010 Year in Review">2010 Year in Review</a> summary. Prominent industrial security commentators <a href="http://www.digitalbond.com/index.php/2011/01/27/ics-cert-year-in-review-fails-to-look-in-mirror/" target="_blank" title="ICS-CERT Year In Review Fails To Look In Mirror">Dale Peterson</a>, <a href="http://chemical-facility-security-news.blogspot.com/2011/01/ics-cert-reviews-2010-in-cyber-security.html" target="_blank" title="ICS-CERT Reviews 2010 in Cyber Security">PJ Coyle</a> and <a href="http://scadahacker.blogspot.com/2011/01/taking-look-at-what-ics-cert-thought.html#more" target="_blank" title="Taking a look at what ICS-CERT thought about 2010 ">Joel Langill</a> have each posted on the summary, with Joel posting a mostly-positive review, and Dale and PJ indicating that the Stuxnet "lessons learned" section is very much lacking those important lessons the ICS-CERT should itself have learned about its own response to the worm. My own opinion of the report reflects my desire for <a href="http://findingsfromthefield.com/?p=562" target="_blank" title="ICS Security Prograss Masked by Vulnerability Reports">better indications of progress in the field of ICS security</a>. Reading between the lines of the "lessons learned" by the fly-away teams is suggestive, but such speculation should not be necessary. </td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/02/still-no-report-on-fly-away-teams.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-48834716997130085522011-02-01T09:23:00.000-07:002011-02-01T09:23:39.679-07:00 Compliance Managers Support Forensics<table bgcolor="white"><tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
One aspect of forensics practice which is regularly mentioned but is rarely described in any detail is configuration management. All of the references in last week's post <a href="http://findingsfromthefield.com/?p=706" target="_self" title="Security Basics: Control System Forensics">Security Basics: Control System Forensics</a> recommend documenting security configuration and other aspects of important hosts so that when there is an incident, you can compare the state of a potentially compromised host to the approved configuration for that host. However, none of the references describes how to record or manage such "approved configuration" information.<br>
</td></tr></table><a href="http://controlsystemsecurity.blogspot.com/2011/02/compliance-managers-support-forensics.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-61167347592492019662011-01-27T11:13:00.000-07:002011-01-27T11:13:39.671-07:00 Security Basics: Control System Forensics<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
Most network administrators recognize the term computer forensics as the discipline of collecting evidence from computers for use in court. What may not be apparent is that computer forensics practices and technologies are also useful tools for general trouble-shooting. Forensic records are detailed enough to identify the cause of intrusions and other causes for litigation. As a result, these records are almost always detailed enough to identify causes of other kinds of problems, from performance anomalies to operator and administrator errors and omissions. But what kinds of real-time forensics are appropriate to deploy on industrial control systems? </td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/01/security-basics-control-system.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0tag:blogger.com,1999:blog-7827625714174332679.post-11360219380504899362011-01-19T10:49:00.001-07:002011-01-19T10:51:19.189-07:00 CIP-002-4 Is Coming<table bgcolor="white"><tbody>
<tr><td width="100%">(This article was originally published on the <a href="http://www.findingsfromthefield.com/" target="_blank" title="Findngs From the Field">Findings From the Field</a> blog.)<br>
<br>
NERC <a href="http://www.nerc.com/docs/standards/sar/Project_2008-6_Ballot_Results_30Dec2010_Announcement.pdf" target="_blank" title="NERC CIP-002-4 Ballot Results Announcement">announced earlier this month</a> that long-debated changes to the NERC CIP-002 standard have passed ballot and are being submitted to the NERC board for approval. The changes introduce a "bright line rule" defining Critical Assets and Critical Cyber Assets. The rule eliminates the discretion NERC entities had in versions 1-3 to define their own risk-based assessment methodologies to identify Critical Assets. The changes should result in a much larger pool of assets being identified as critical and so subject to CIP standards. It remains to be seen though, whether utilities will take this opportunity to strengthen their security programs in light of recent advanced threats to control systems.<br>
</td></tr></tbody></table><a href="http://controlsystemsecurity.blogspot.com/2011/01/cip-002-4-is-coming.html#more">Read more »</a>Andrew Ginterhttp://www.blogger.com/profile/12985552166665412593noreply@blogger.com0