Home ›› Unfettered Blog ›› Reflections from the RSA Security Conference - the Blind Leading the Blind

Reflections from the RSA Security Conference - the Blind Leading the Blind

Category:
Submitted by jweiss on Sat, 03/06/2010 - 02:03.

I just returned from 3 days at the RSA Security Conference in San Francisco.  This is billed as the world’s largest cyber security conference. There were more than 18,000 attendees with more than 200 speakers. I want to personally thank RSA for recognizing the ICS community with 5 sessions on control systems and Smart Grid.  The sessions were:

- CIP Take 2 – Where will the race to compliance lead us – Jon Stanford- BPA, Joe Weiss-ACS
- Hacking the smart grid; the myths, nightmares, and professionalism – Gib Sorebo-SAIC, Matthew Carpenter-Inguardians, Matthew Franz-SAIC, Seth Bromberger-PG&E
- Smart Grid Security Standards- Darren Highfill, Bobby Brown-Enernex, Matthew Carpenter-Inguardians, Annabelle Lee-NIST
- Cracking Down SCADA Security – Jason Avery-TippingPoint
- What makes infrastructure critical and how is IT increasing the risk – Laurent Webber-WAPA, Michael Echols-SAIC, Jon Stanford-BPA, Joe Weiss-ACS

I didn’t have a chance to attend all of the sessions because of scheduling conflicts. As best as I can tell, there were fewer than 10 control system personnel that attended including speakers - the rest were IT.

I wanted to discuss my observations of the Hacking Smart Grid and Cracking SCADA sessions. (Note - neither session had representation from the ICS community). During the Hacking Smart Grid session (http://www.wired.com/threatlevel/2010/03/smart-grids-done-smartly/), Matthew Carpenter made the following statements that I have real problems with:
- There have been no new cyber problems
- Pen test everything
- The biggest problem with Smart Grid is using AMI to remotely disconnect meters

All three of those statements have significant problems… in fact they are wrong.

There have been new cyber problems that are ICS-related including Hatch, Aurora, and according to the RISI data base and my own, well over 100 others - these weren’t IT. They were flatly cyber events that happened in Industrial Control Systems.

Secondly, pen testing legacy control systems WILL shut them down or do even worse. It isn’t a question of whether pen testing will damage legacy control systems but when.  I repeatedly asked vendors and experts alike if they had ever worked with non-windows embedded controllers like PACs and PLCs. Uniformly the answer was “No.”

I believe the most significant cyber issues with the Smart Grid are the vulnerabilities introduced into the grid, itself, and not turning on or off meters.

If what Matt Carpenter said is indicative of what he really believes, one really has to question the technical underpinnings of the NIST Smart Grid efforts. As an aside, I was asked by GAO about my thoughts on Smart Grid and the NISTR. I have been heavily involved with NIST for years on SP800-53 and SP800-82 efforts (non-Smart Grid) and have the utmost respect for NIST’s capabilities.  I wish I could say the same for the Smart Grid efforts.

Jason Avery of Tipping Point talked about hacking SCADA. Consequently, I asked him the following questions:
- Did you look at non-Windows devices – NO
- Did you address system-of-systems issues – NO
- Are you aware of control system issues with SCADA systems – NO
I don’t know about Jason Avery, but it would have embarrassed me to admit to such ignorance.

Once again, we come smack up against the problem that there are very few industrial cyber security experts. Hopefully, this is something my book will help to fix.

It really doesn’t look like we’re making real progress in Industrial Control System security yet, does it?

Joe Weiss

Reflections and Comments

Submitted by mattcarpenter on Tue, 03/09/2010 - 19:01.


p, li { white-space: pre-wrap; }

<!--StartFragment-->Dear Joe,


I realize you have a message to get out, and at the core your goals are similar to mine, a stable electric grid.


Your blog summary does not accurately reflect what I said or my viewpoint. Below are comments on your three points:

* Regarding new cyber problems. My fellow panelist indicated that we are solving many of the same problems we've solved before. "...research that is being done on security in these components is not necessarily new. We are talking about encryption, key management, strong authentication. These are not new concepts. The devil is in the implementation."(*) My comment was that we may be solving many of the same problems, but the impacts are significantly different. The point is that IT security specialists have to think critically about what is different from the common desktop/server zombie-bate.


* I assume you agree that Penetration testing is an important security tool, when properly applied. Penetration Testing has taken on so many meanings, so I got explicit. In the power sector, I specifically spelled out the following as worthy activities:

* Security Vulnerability Research - not interacting with the live grid

* In-Lab attacks - not interacting with the live grid

* Mental exercises by security-minded people at every level. "How can X be abused?"

Offline testing coupled with lab-testing and table-top mental analysis can dramatically help to improve the state of the grid while bringing all of us into thinking critically about this system-of-systems we continue to deploy and maintain.


* Regarding the "biggest smart grid problem". I did not make any such statement. I called out the significant difference in AMI-related risk between meters which have a disconnect switch and those which do not. Perhaps that is what you were referring to?

If you are not aware - IT, telecom, and electric sector experts are working together to improve the security of the Smart Grid, collaborating through organizations such as NIST, OpenSG, ASAP-SG. If you would like more information about these groups, please call me.

In order to succeed, we need to encourage continuing collaboration and cooperation between these technical experts, as they all bring vital experience and expertise to the table.


Thank you,
Matthew Carpenter
616-813-5103

* taken from http://www.cyblog.cylab.cmu.edu/2010/03/rsa-2010-hacking-smart-grid-myth...

 

Real experts don't use the term

Submitted by hallam on Tue, 03/09/2010 - 13:31.

Most of the real 'experts' in the security area call themselves specialists rather than 'expert'.

I think the real problem with Avery's talk was that he had snagged a slot to talk about his fuzzing tool by playing u the SCADA angle. It was not really a SCADA talk, he was not a SCADA expert.

We do not pen test quite a lot of systems even in the enterprise security world. He should have been aware that you should not fuzz live kinetic systems.

SCADA Security Experts

Submitted by Bill Neet on Tue, 03/09/2010 - 04:33.

Ralph has it almost right

#1 - not that big a deal but helpful

#2 BIG deal - esp the control system part.

#3 Really BIG deal - if you have never been at a process plant [not a manufacturing plant which is a different animal] you have no idea of what the needs of the operation are.  And you absolutely cannot manage a SCADA site remotely IMHO. You have to be there to see what you are doing and judge the possible impact of your system management activities.

Cyber security experts

Submitted by Ralph Langner on Sun, 03/07/2010 - 22:16.

Here is my quick assessment for spotting cyber security experts. It's a simple three-question-test:

1. How many books on control theory have you read?

2. How many non-Windows peripherals or control systems have you played with?

3. How many plant floors did you visit?

Everyone who comes up with an answer more than zero for all three questions must be an expert! And since that is the case, we can infer that we have a long, long way to go. Hopefully your book will help.