The Industrial Control Systems Joint Working Group Fall Meeting 2012 is being held in Denver, Colorado this year, organized by the DHS ICS-CERT. Yesterday, Billy Rios from Spear Point Security kicked off the meeting with a discussion that included mention of vendors’ defensive postures and the exploit brokers out there. A couple other talks included speakers from Raytheon and the DHS. For someone that savors the technical meat at Infiltrate, Defcon and Project Basecamp, it seemed that was I was surrounded by vegans. For example, when one speaker was asked about whether or not their product thwarts common pass-the-hash techniques that can be used to enable APT related post-exploitation lateral movement from corporate to SCADA networks within ICS environments, the speaker explained that their product uses pass-the-hash and other mathematical techniques that he couldn’t discuss to defend networks. Huh. Also, a generational air gap seems to be in place here too, with most of the speakers at least twice the age of speakers leaning into fresh offensive (and some defensive) security topics at Blackhat, Infiltrate, etc. Cultural differences abound.
A talk later in the day about 13 ways to evade firewalls could be boiled into a few thoughts – XSS problems are enabled by SSL proxies, sneakernet exacerbates Usb security issues, and misconfigured firewalls are an issue within ICS environments. These are all a decade old discussions, but may have some insight for top level folks that have no exposure to 10 year old security issues. The unfortunate thing is that these sorts of vulnerabilities continue to be present within critical infrastructure environments.
The second day seems to be starting off with much more interesting talks. SCADAHacker Joel Langill’s talk on “Utilizing TCP/IP Addressing Scheme for Network Isolation” demonstrated the usefulness of subnet masking and the misunderstandings of implementing VLANs when enforcing network security policies. Joel runs a fantastic site, sharing links to information that provide complementary data to some of the ICS cyber-security consulting services that he performs.
Dr Nabil Adam from the DHS Science & Technology Directorate demonstrated the powerful modeling framework CEMSA that they have developed, providing ways to model and understand credible consequences of multiple interacting critical infrastructure disruptions. These consequences and disruptions evaluated here based on concrete data around US located industrial operations like chlorine gas plants and online network backbones are the shocking stuff that folks have speculated on for years as “cyber pearl harbors”. The difference is that this intelligence and data analysis is the real deal in its precision and comprehension of planned attack, cascading, and coincidental disruptive events. It goes beyond ICS environments, to help policy and decision makers understand and prioritize disruptive impacts. Currently available to “anyone interested” from US based government agencies.
The day is wrapping up with a panel discussion where the industry seems to see the light that there is no such thing as air gap, but people still believe it. A couple of the speakers seemed to think that it air gaps are appropriate for very specific environments, but asset operators in the audience are explaining their struggles with gapped controls and the “technical debt” existing in such an environment, while risks are increasing. They are having an even more difficult time with the “unquantified” amount of risk that their systems are undertaking. Nobody in the room has an easy answer for quantifying this data, including the guy monopolizing the microphone, and falls back on consequences of disruption. While the term “Stuxnet” was voiced several times, and someone mentioned “that Saudi-whatever thing” (I think that he meant Shamoon targeting Saudi Aramco), the folks don’t seem to understand the bigger malware – Duqu, Stuxnet, Flame, Gauss, and now, SPE, let alone spearphishing and post-exploitation activity. You can find details of each here on Securelist. And more is on its way about defending against these sorts of malware with Critical Infrastructure Protection too.