This April I met an energetic young man named Dillon Beresford. He told me that he had gotten some SCADA gear and setup a lab in his apartment and discovered a raft of vulnerabilities that he would be presenting shortly at TakeDownCon.
The most interesting aspect of the meeting was that it was essentially entirely random – I wasn’t anyplace I would have expected to meet the next rock star of industrial security.
Crossposted from InfoSec Island
I was in Austin, Texas speaking on a NESCO Townhall panel so I dropped by and see Vik Phatak at NSS Labs. Vik and NSS CEO Rick Moy are old friends and repetitively past colleagues.
While running Lofty Perch in 2006 they had asked my advice about buying NSS Labs, in 2008 I helped out a bit as Chief Evangelist, back in the day Rick and I were Protego twins and somewhere around the Dawn of Time we created Cisco AVVID together. A family visit in other words, with no reason to think there would be particularly revelatory discussions of control system security.
But as Vik and I sat outside the NSS Labs office Mr. Beresford came out to join us. Vik introduced him as one of their researchers who had been working on stuff that might interest me. Dillon launched into the story of how he had bought a few PLCs and setup a lab at home.
How, with no previous experience and only the off-the-shelf knowledge that a good security researcher would have, he had managed to break SCADA gear from several vendors. Dillon was excited about presenting his findings at TakeDownCon a few weeks later.
As you probably already know, Dillon did not give his talk at TakeDownCon. Siemens and the Department of Homeland Security asked him to reconsider, and with the good of industrial customers in mind Dillon agreed to hold off on the release of the vulnerabilities.
In subsequent weeks Dillon has worked with ICS-CERT and the vendors on the vulnerabilities. ICS-CERT has released two advisories, one for Siemens devices and one for Sunway.
Sunway is a Chinese vendor and a favorite of the Chinese military, who use these devices to control weapons systems among other things. Siemens of course provides products to industrial customers all over the world, including many of the most sensitive bits of critical infrastructure that come to mind.
What is most striking about this is that one bright and energetic researcher in Austin was able to find multiple fundamental flaws so serious that the US and Chinese federal governments had to react. Take nothing away from Dillon – he is that bright – but it would be foolish to assume that he is the only person you never heard of you will come to know (by name or deed) for essentially the same reasons.
As LulzSec, Anonymous and the Sony Swarm have demonstrated quite clearly this year, the nation-states are not the only threat to strategic national and economic interests. For every Dillon Beresford out there finding things and Doing the Right Thing there is bound to be a Bizzaro Dillon doing the same for less honorable reasons.
A couple hundred dollars on eBay will get you some PLCs to play with right now. A couple grand and you can replicate the configuration of thousands of water treatment facilities (electrical co-ops, production lines, mining operations…) in the privacy of your own home. For the cost of a really crappy used car, everyone with the time and inclination can try to develop their own zero-day industrial attacks.
Everyone skilled will succeed.
Threats to critical infrastructure are usually discussed in the terms of Cyber Warfare. Iran, China, Israel, the US and North Korea are among countries said to have or be developing significant cyber warfare capabilities. While this is real cause for concern, even mad-dog nations like North Korea have some restraint about launching massive attacks against other states’ physical infrastructure.
Unlike a nation-state, however, there is no reason to believe that a sufficiently motivated individual or small group would not release malware which attacks everything it sees.
With the state of security at most industrial sites today, there is every reason to expect at least a significant success rate for such an attack. Given the state of visibility into the activity of these networks, there is likely to be no warning.
Dillon Beresford has played several valuable roles in the industrial security saga. The first was making us aware of vulnerabilities that need to be addressed.
The second was making us wonder. Who else is hard at work right now?
9 comments