The 12th ICS Cyber Security Conference was held at Old Dominion University’s Virginia Modeling Analysis and Simulation Center (VMASC) October 22–25, 2012. There were approximately 150 attendees from multiple industries, universities, government, and vendors as well as consultants from the U.S., South America, Europe, and Asia. The conference used the remote video conferencing capabilities available at VMASC to enable a few speakers to participate from as far away as Europe and Asia.
The conference addressed multiple aspects of the vulnerabilities that affect industrial control systems (ICSs). These are the programmable logic controllers (PLCs), distributed control systems (DCSs), SCADA, and other systems that make our modern world function smoothly every minute of every day by controlling physical processes in power and water utilities, oil and gas pipelines, chemical and manufacturing plants, transportation, and defense. These are the same types of systems that were compromised by Stuxnet.
Conference participants studied case histories and discussed the progress of standardization and interoperability. No press representatives were allowed into the conference, and a non-attribution policy was rigorously enforced, hence the lack of names and affiliations in this report.
No Consistent Definition
Showing the diversity of interests of those working on cyber security threats, conference participants could not agree on a single definition of what constitutes a cyber incident, particularly an unintentional incident. One very useful outcome of the conference was developing a better appreciation of the breadth and depth of critical infrastructure protection (CIP) security required, the wide range of skills required to solve cyber security problems, and the importance of sharing information, particularly about unintentional incidents. ICS cyber incidents caused without intent—failures stemming from the processing, storage, or transmission of data—can have disastrous consequences and serve as roadmaps for ICS system hacks. (For more on ICS protection failures and their consequences, see “Ensuring the Cybersecurity of Plant Industrial Control Systems” in the June 2012 issue of POWER, available at http://www.powermag.com.)
Another key conference finding was that there are few (being generous) technologies actually developed for ICS that are not recycled IT solutions. One emerging technology solution was discussed that could be a game changer because it improves control system performance and appears not to be susceptible to cyber threats. However, it is still in the research and development phase, and details were sparse. Additionally, progress is being made on device authentication at the protocol level, and some chipmakers are transferring their know-how to control systems for authenticating end devices. Protecting product information is becoming much more common these days (see sidebar).
Many Are Unaware
An international survey performed for CIGRE (the International Council on Large Electric Systems) identified the lack of cyber understanding by the control and protective relay community as another area of work that is currently lagging. This is particularly important as CIGRE did not address the impact of the Aurora test—a cyber attack on power generating equipment staged by the U.S. Department of Homeland Security (DHS) in 2007 at the Idaho National Laboratory (INL)—even though it concerned a protective relay issue.
The conference included the first public discussions of the Aurora vulnerability, including a discussion of the facts surrounding the INL test. Somewhat disconcerting was the fact that more than five years after the Aurora test, very few of the critical infrastructure attendees understood the technical issues surrounding the test and why its results directly apply to their facilities. (See http://bit.ly/VAnxat for a description and video of the Aurora test plus a technical discussion of its importance to cyber security.)
This lack of awareness was demonstrated by one question from the floor. The individual asked why the “electric industry should care about every substation since there are so many substations—losing some should not be cause for concern.” The answer is that exploiting the Aurora vulnerability effectively makes the substation an attacker. Consequently, any unsecured (for Aurora) substation can be a threat to any commercial or industrial facility with rotating equipment served by that substation, including power plants, refineries, ships, hospitals, data centers, and the like. Because so few utilities are addressing Aurora, a representative from the Department of Defense questioned if they should take matters into their own hands by installing mitigation at their facilities, effectively protecting themselves from their own utilities!
Information Sharing Is Vital
There are pockets of end users who are willing to share ICS information with their peers in industry. Utility control system engineers from two different utilities discussed their actual recent ICS cyber case histories. In both instances, the cause was unclear, making solutions difficult to identify. In one case, the utility lost view and control of the plant and was unable to restore the view even with the vendor on site. In the other, the utility experienced several instances of complete loss of control and view with plants at power!
Another utility discussed its legacy control system cyber security test bed. The utility made a plea to establish an informal information-sharing program to share industry practices. This involves sharing of real information, not literature searches of “solutions.”
There was discussion of a project using Shodan (a cyber security search engine) with selected key words that found more than 500,000 Internet-facing control system devices all the way to device IP addresses. This information was recently provided to the DHS and resulted in a nationwide vulnerability notice in late October. Even today, the researcher is concerned about his liability because he found the actual Internet addresses. The researcher provided this example of the lack of understanding about ICS vulnerabilities: He contacted a water utility when he found it had ICSs that were remotely accessible to anyone with an Internet connection, but the end user appeared to not understand the importance of the information and essentially ignored the warning.
A water utility described a disgruntled insider compromise. It took an inordinately long period of time to get the FBI to respond. When the FBI finally responded, they took the utility’s hard drive, and the replacement hard drive did not work. Fortunately, the utility had mirrored hard drives and was thus able to continue operation despite the loss of the one hard drive.
There were two ICS hacking demos that proved the differences between a knowledgeable attacker and hacker with minimal ICS understanding. The knowledgeable attacker showed with less than $60 of “Radio Shack” equipment that he was able to compromise Zigbee wireless networks. The second demonstration was by a malware researcher with minimal understanding of ICSs. By simply starting with a vulnerability notification about the technology on which the SCADA system was built, he was able to take control of the vendor’s SCADA software.
On the post-conference press call, I was asked what I considered the most important need for ICS cyber security. I believe it is senior management buy-in—that is, understanding the possibility and consequences of an incident, the talent required to mitigate it, and prioritizing resources for ICS cyber security.
The 12th ICS Cyber Security Conference provided attendees with a valuable venue for information sharing about ICS practices and incident descriptions, plus networking opportunities that can’t be replicated. For information about the 2013 conference, visit http://www.icscybersecurityconference.com.
—Contributed by Joe Weiss, PE, CISM, CRISC, ISA Fellow, and IEEE Senior Member. Weiss is the principal of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats, published by Momentum Press. Follow Weiss’ “Unfettered Blog” at community.controlglobal.com/unfettered for the inside story on the latest cybersecurity news.