Motley Moose – Archive

This past week was the National Electric Sector Cybersecurity Organization Resource (NESCOR) Summit in Washington, DC. It was a useful and productive session and seemed to achieve the goals laid out.

Erfan Ibrahim from EPRI set the stage, we broke into working groups to dig deeper into three major subtopics and then came back to one room to tie it all together.

My favorite part was an impromptu panel with Justin Searle of InGuardians, Andrew Wright from N-Dimension and myself at the end (“would I like a stage and a microphone?” are you kidding?). Very good discourse and it was definitely informed by the work of preceding days.

The working groups are continuing and evolving to identify and dig into issues, outputting tangible deliverables to assist DoE and other organizations’ decision making.

In May my colleague Guillermo Grande attended an ISA event in Madrid where CNPIC is following a similar path of engaging pertinent parties, setting up working groups and grinding through the problem of industrial control system security.

Watching the various engines of civil society warm up and set to addressing the daunting task of critical infrastructure cybersecurity is very interesting, like an episode of Build it Bigger. Some would say it is also very depressing or even very frightening.

I would disagree with those folks.

(crossposted from Infosec Island)

Crossposted from Infosec Island

[Note: “SCADA” and “ICS” are essentially interchangeable terms for “Critical Infrastructure”. ICS is “Industrial Control Systems” and it doesn’t really matter what SCADA means for our purposes here.]

The root problem with SCADA security is that control systems have been built on the concept that devices can be trusted.

Since everything else about SCADA is based on the concept that devices can never be trusted (“Sure, the temperature in the boiler should stay at such-and-such, but I would like to monitor the hell out of it, anyway.”), once you get your head around the idea that you cannot trust your cyber devices either you find that it fits with existing industrial ideology quite well.

The solution to industrial cyber security is to do your best to build a reliable cyber system – just as you do with the physical assets in the industrial process – then monitor it like a convicted criminal in solitary confinement.

Hi folks,

This is a short article I wrote for InfoSecIsland. Normally I wouldn’t post something like this on a political blog, but the conversations here on Stuxnet were as intelligent as any other. This was written with my Day Job hat on but is not a pitch for AlienVault specifically – any SIEM will do – but since AlienVault has the Open Source SIEM the topic cannot be discussed without bringing them up anyway.

Background

Control System networks are electronic systems for controlling the physical world. These systems are deployed in virtually every aspect of modern life from power grids to transportation, manufacturing, agriculture, building control and more. Since 1979 these systems have been becoming increasingly similar to the Information Technology (IT) networks which have developed over that time. Today, most Control System networks are based on the same TCP/IP protocols that run on the Internet and use computer systems which are vulnerable to the same attacks which plague business and home users.

In June of 2010, the first malware specifically designed to attack Control System networks was found in the wild. Stuxnet, a complex worm that targets Siemens’ WinCC Control System server software, uses a vulnerability involving USB thumb drives to compromise the Windows operating system of WinCC servers. Once installed, Stuxnet subverts the WinCC software itself and then pushes altered software to the Programmable Logic Controllers (PLCs) that control very high speed motors. Since the motors Stuxnet is designed to target operate at between 807 Hz and 1210 Hz the popular conclusion that this worm was targeted at the nuclear centrifuge installation at Natanz, Iran, is generally supportable (the United States restricts exports of similar motors above 600Hz due to their use in refining nuclear fuel).  

If you haven’t heard about the Stuxnet worm by now you probably soon will.  The analysis of this recently identified ‘weaponised’ worm is the opening chapter of a fascinating John le Carré novel for the 21st century with political, diplomatic and practical implications for all concerned.



A little background:

One of the most sophisticated pieces of malware ever detected was probably targeting “high value” infrastructure in Iran, experts have told the BBC.

Stuxnet’s complexity suggests it could only have been written by a “nation state”, some researchers have claimed.  It is believed to be the first-known worm designed to target real-world infrastructure such as power stations, water plants and industrial units.

It was first detected in June and has been intensely studied ever since.

Jonathan Fildes – Stuxnet worm ‘targeted high-value Iranian assets’ BBC 23 Sep 10

Unfortunately there is no specific forensic evidence that Iran was the target, although it seems the epicentre of infection.  And clearly this is not the work of some hacker ‘sitting in the basement of his parents house:’

Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown.

Bruce Schneier – The Stuxnet Worm Schneier on Security 22 Sep 10

Holy Thumbdrive, Caped Crusader!