SCADApedia - - all can read - - subscribers can write.

New entries in September:

• ABB PCU400 Remote Buffer Overflow
• Bandolier Severity Ratings
• Best Practices for Firewalls in Digital Control and SCADA Systems
• Exploit Frameworks
• OPC UA
• PI TCPResponse Interface
• Portaledge Event Taxonomy
• Portaledge: Availability Event Class
• Portaledge: Enumeration Event Class
• Quickdraw Security Events
• Security Conferences
• Vulnerability Exploit IDS Signatures
• Windows Management Instrumentation

A number of the other pages have been updated as well.

You may also want to look at All Pages or the links to Control System Vulnerability Notes or the links to Digital Bond’s Research Projects.

There has been a lot of buzz lately about the Denial of Service vulnerability that a Swedish security firm, Outpost24, have discovered.  Right now, the details are a bit limited, as the researchers aren’t going to release details until they present at the T2 conference in Helsinki later this month.  This is similar to the way the DNS issue was handled earlier this summer by Dan Kaminsky.  So being that security research people tend to be a curious sort there has to be rabid speculation about what the problem really is.

Some very smart people have weighed in with their thoughts, including Fyodor(of nmap fame), Graham, and Kaminsky has a great post on the meta issue of partial disclosure.  From what I can tell this will just be a minor blip for most people, those with services large enough to be DoS’d have largely distributed systems and won’t really be affected by this any differently than a flood from a botnet, only able to be done more efficiently, and in fact it will be easier to mitigate since this type of attack does not allow for spoofed connections.

But this may shape up to be one of those issues that affect control systems more than the average system.  We’ve already seen that excessive network traffic can cause major problems, but with this form of attack the same problems could manifest themselves with a very limited number of packets from a compromised system, and given the lack of monitoring tools in a lot of those networks that may make it extremely hard to track down, and make for a very rough day for operators.

Since the full scope of the vulnerability isn’t public yet (probably) not much more than the usual advice can be offered, separated networks, acls, and monitoring are very good defenses if deployed properly.  We’ll keep following this as I’m sure many of you will, problems in underlying protocols like TCP don’t come around every day.

• The KONGSBERG AIM 8.2 RCU501 industrial controller passed the Achilles Level 1 Certification tests. Kongsberg is the sixth company with a controller that is Achilles Certified. [FD: Wurldtech is a former Digital Bond client]
• Immnunity, Inc. has included the CitectSCADA vulnerability in their latest update to CANVAS, an exploit framework similar to metasploit.
• NIST recently published the final draft of SP800-82: Guide to Industrial Control System Security.

As we’re getting closer to a beta release of the Bandolier audit files, it’s a good time to look at how they can fit into asset owner security strategies. I often bring up personal experience when talking about this project. Back in the days when I had security responsibility for control systems, it was difficult to determine an optimal security configuration for the workstations and servers — certainly at the OS level and even more so at the application level.

So why is it so challenging to take the necessary steps to secure these servers and workstations? There are a variety of reasons, most of them stemming from availability concerns. Here are some examples I have seen:

1.) Fear of voiding a vendor support agreement by making any changes to the delivered configuration
2.) General fear of breaking something — “it ain’t broke, don’t fix it” mentality
3.) Uncertainty regarding what ports and services are required by the application(s)

All of these can be summarized as “fear of the unknown”. This is something that even the best “top down” security guidance (i.e. NERC CIP, SP800-53, ISA99, etc…) does not address. Bandolier helps fill this gap by using a practical, “bottom-up” approach to define and audit an optimal security configuration at a very nuts and bolts level. This is something I wish was available for some of my previous responsibilities and is why I think it is an exciting project.

I don’t mean to take anything away from the standards efforts because they are good and necessary. In many cases the Bandolier audit files can help address specific parts of the standards. But based on my experience and the feedback we’re getting, there are a lot of asset owners out there looking for something more specific. Where servers, workstations, and control system applications are concerned, Bandolier is helping meet that need.

The S4 Program Is Out!!!

This is the third edition of S4 [see 2007 and 2008 abstracts] and each year we try to focus on cranking up the technical content. The authors have really come through this year, and as in previous years I’ll preview a paper or two each week.

We also try to incorporate suggestions from S4 alumni and try one or two novel things each S4. Here are some new twists for S4 2009.

• We have added an Advanced Training Course the day before S4, on January 20th. Read the description of Security Testing of Control System Components.
• Alumni have suggested a free flowing Session. Our answer to that is The Great Debate: Is It Possible to Safely and Securely Connect Safety Systems to Control Systems? See the program for more detail on the format of this session.
• Back channel chat for all attendees. In past S4’s, Virtual Attendees could chat and discuss a presentation in real time. Now physical attendees will be able to join in.

A few other surprises will be revealed in the upcoming months including the keynote and an invited session. We have a theory and approach to S4 keynotes, I’ll share in a future blog.

S4 alumni registration has opened today, and general registration will open on October 15th.

We expect a sellout this year - - based on 35 physical attendees in 2007, 53 in 2008, increased interest in the field, and the trend of increasingly strong papers from researchers. Of course, that is also our hope. If you want to insure you can attend in person, register early.

We are offering the Virtual Attendee program again this year. Virtual attendees have been pleased with the experience, but of course miss the interaction with 55 top researchers and beautiful Miami Beach in January.

How would you feel if Core Security, KF, Eyal, Neutralbit … or Digital Bond … found a vulnerability in an important critical infrastructure component; created a sensational video demonstration of the impact / consequences that was picked up by CNN and the rest of the media; and then patented and licensed what we claimed to be THE solution to the vulnerability?

A patent application for an Aurora vulnerability mitigation was published last week, originally filed on March 20, 2007. It was submitted by INL/Battelle Energy Alliance. It is reasonable to assume this was the technology licensed to Coopers and referenced in a few articles and significant scuttlebutt that claimed others were not adopting the ‘fix’.

This is not meant as a slam of the patent holders. Rather it is hopefully a realpolitik wake up call to the community that everyone involved in the vulnerability disclosure issue: researchers, vendors, asset owners, universities, national labs, congress, executive branch agencies, magazines/media and yes, even consultants address vulnerability disclosure at least partially through self interest. No one is pure.

Let’s wake up and realize that vulnerability disclosure is always going to be contentious and can’t be contained. Let’s place the emphasis on improving security engineering to reduce the number of vulns and the response to quickly and professionally address identified vulns. At least in this case a solution for the vuln, albeit hugely hyped and albeit for pay, was provided.

Digital Bond opened our doors ten years ago today on Sept 28, 1998. Like most businesses, Digital Bond morphed over time.

Gen 1 was a company designing a smart card solution to secure Internet brokerage transactions. We actually did pharming demonstrations with brokerage sites back in 1999, but we were never able to get the large brokerage beta client to get this product to take off - - of course a few bubble bursts didn’t help. We started doing security consulting to pay the bills rather than go for another round of angel/venture funding. Some of the team found they actually liked consulting more than developing products.

Gen 2 was a combination security consulting / value added reseller focused on the Florida market. We did assessment, architecture, policy engagements for a lot of banks and ecommerce companies, and we also sold, installed and supported products from Checkpoint, Cisco, Network Associates, Websense, … We found the resale/install to be more trouble than it was worth and quickly moved to pure consulting.

Gen 3 is where we are today, a control system security consulting and research practice. And we stumbled into that when a very large water system asset owner asked us to perform a security assessment on their SCADA system back in 2000. A bit scary looking back at that now knowing what we have learned over the past eight years. Control systems security engagements became a growing part of our business, slowly at first but then easily. Sometime in 2004 we decided to focus on control system security and since then it has been our entire business except for longtime customers in banking we still support.

A few key dates in our control system security history:

October 2003 - we started the SCADA Security Blog. There are now over 850 blog entries. It is funny that the second entry discusses the Modbus Hack Demo that was making the rounds in the control system events and now five years later is being shown at events like Defcon/Black Hat.

March 2004 - Digital Bond received our first research contract from DHS to create IDS signatures for control system protocols. Given these signatures are in almost every commercial IDS I think DHS got there $100K’s worth.

December 2006 - The SCADApedia started because we got tired of good, factual information getting aged off and buried in the blog. I know the SCADApedia has not gotten a lot of traction yet, but it is something that needs to be a certain size before the value is clear. Now with over 100 entries of increasing detail more people are using it.

January 2007 - Digital Bond’s first annual SCADA Security Scientific Symposium [S4] takes place in Miami Beach with about 35 physical attendees and about 20 virtual attendees. Attendance grew by 50% in 2008, and we anticipate a sellout in 2009. S4 was created out of frustration that there was no where to present technical research to a technical audience.

October 2007 - Digital Bond is awarded a Dept. of Energy research contract that is leading to the Bandolier and Portaledge projects.

May 2008 - Digital Bond is awarded a DHS research contract that is leading to Quickdraw.

What is missing from this highlight timeline is our consulting clients, many fantastic asset owners who always desire to avoid security publicity. I frequently say that we are blessed in that we work with people who care about control system security - - - otherwise they wouldn’t pay to hire us. They are the top 10%, the early adopters.

Many of the clients have been working with us for 3, 5, and even 8 years. The progress they make from a system with many security problems to a set of effective technical and administrative controls is impressive and a credit to them. We even have some long time clients who ask us what else they should be doing, and there is nothing on the list of more value than more rigor in insuring they are effectively implementing what they have in place.

Finally I would be remiss if I didn’t mention that Digital Bond has had a number of talented security professionals who are now Digital Bond alumni, and I want to publicly thank them for their hard and often brilliant work while they were with the company. The fact that they all remain close and willing to help Digital Bond, and vice versa, is a source of pride.

After ten years I hope we learned something about creating and running a business. My unsolicited advice to anyone thinking about starting a company is you will have higher highs and lower lows as an entrepreneur than you can ever prepare for. Make sure you enjoy the highs and power through those lows.

• The US House Energy and Commerce Committee decided to not address a bill giving FERC emergency powers for cyber security of the electric grid this session. This was more of a time issue than a position, and expect to see it come up again in the spring.
• Lofty Perch has a temporary offer to provide CS2SAT free of charge to asset owners - - while supplies last.
• Eyal Udassin of C4 Security in Israel disclosed a vulnerability in ABB’s PCU400 FEP this week. A patch is available.
• For our Japanese readers - - JPCERT has launched a control system security portal page with links to pertinent information in Japanese.

Joining me in the September Edition of This Month In Control System Security:

• Joe Weiss of Applied Control Solutions to discuss why he thinks a control system CERT is required and his recommendations provided to CSIS for the next President.
• Jake Brodsky of the Washington Suburban Sanitary Commission updates us on Secure DNP3 and discusses security needs for control system protocols in general.
• Dave Teumim of Teumim Technical discusses the progress made in the transportation sector in a new APTA security guideline effort.

Some links discussed in the show:

• Joe Weiss’s White Paper with Recommendations for the Next President
• JPCERT Paper on Control System Protocols written by Digital Bond and translated by JPCERT [in Japanese]
• American Public Transportation Association Control and Communications Security Working Group

Direct link to the podcast.

 

 This Month In Control System Security: Play Now | Play in Popup | Download

Podcast Info:

We have made it easier for you to get Digital Bond’s podcasts.

Subscribe via iTunes.

Or you can subscribe to the Podcast RSS Feed.

After some feedback from the Bandolier alpha release, we are now preparing for a beta release that will include audit files for Telvent and Siemens plus two additional systems. Part of that release will include the online documentation for each application check.

The documentation adds value by helping the asset owner understand the context of the check and provides information on validation and remediation where it is applicable. We are able to include a URL that links directly to the the appropriate page for each one using the “info” field made available through the Nessus policy compliance plugins. Here’s what it looks like in the audit file:

<custom_item>
type: FILE_CONTENT_CHECK
description: “b11008: Determine if permissions are set correctly for the OASyS DNA RealTime Server (bobjAcknowledge)”
info: “http://www.digitalbond.com/index.php/research/bandolier/b11008″
value_type: POLICY_TEXT
value_data: “c:\program files\Telvent\config\BLT\Realtime.txt”
regex: “bobjAcknowledge.*”
expect: “bobjAcknowledge, DNA Permission - Control_SCADA”
</item>

The documentation pages are Digital Bond subscriber content but we have removed that requirement for a couple of them so non-subscribers can see some examples. Here is the link that you see in the authorization check above. And here is one that documents a “supporting application” check, in this case an Apache parameter on a Siemens Spectrum Power TG Web Host.

Because writing the documentation requires a lot of manual review, it has proven to be a great internal QA process. That, combined with vendor feedback on some of the checks, should help us deliver a quality set of audit files for the beta release so stay tuned.