We are off and running . . . I’d estimate about 150 attendees (officially 200 registrants) and a quick poll showed about 75% are first time PCSF attendees. Nice to see so many fresh faces and asset owners.
This PCSF event is taking a different approach in focusing on ‘solutions’. Looking at the agenda it has many product vendors and labs and projects hoping to spin out products. On the positive side, this goes beyond explaining the problem and hopefully helps to solve problems. This make sense. Awareness has been achieved – – at least in those that attend this event.
On the negative side – the most common and strident complaint I hear at events is “too commercial”. Solutions that involve the purchase of products or services are by nature commercial. It will be interesting to see the reaction.
Perry Pederson: DHS, Director – Control System Security Program (CSSP) is introducing the Morning Keynote. Good to see some senior DHS representation at the event.
Morning Keynote: Bruce Landis, DHS Deputy Asst. Secretary for Cyber Security and Telecommunications
Bruce’s background was as a cryptologist at NSA for about two decades. He reports up to Greg Garcia. Informal remarks focus on consequence in the risk equation. Now reading the prepared remarks. “control systems are vulnerable and exposed . . . risks are substantial”. Overview of Cyber Security and Telecommunications organizations and strategic priorities.
The presence of the Deputy Asst. Director is important. PCSF started in the DHS S&T and moved to DHS NCSD in the last year. It was unclear, at least to me, whether DHS was going to continue to invest in PCSF. “PCSF is one of the Departments most successful efforts with the private sector”.
Warning: self serving comment – Bruce highlighted US-CERT and the fact they have issued three control system vulnerability notes. Three of those were from our ICCP research.
“The time for debating our vulnerabilities is over”.
PCSF Working Group / Interest Group overview for afternoon meeting – not much new here.
Six 20 minute presentations in the plenary session
1) Control Systems Security Certification Organization (CSSCO) – Eric Byres
A study on the generation of a CSSCO was funded by about ten vendors and asset owners. Goals: Development of Interim Standards, Creation of a Conformity Assessment Process, Enabling and Managing Conformity Assessment Services to Industry. Eric stressed independence as the key.
Chip Lee from ISA takes over. ISA is taking over his effort through the Automation Standards Compliance Institute. Timeframe is May – September for the group to be established and beginning work. All sounds good, but probably two + years away from certified product if all goes well.
2) Vulnerability Coordination and Disclosure – Art Manion, CERT/CC
Methodology: Collect – Analyze – Coordinate – Publish
Provide enough information so users can make an appropriate risk decision.
At the time of PCSF 2006: Five vulnerabilities reported and one published Vulnerability Note.
PCSF 2007: 33 vulnerabilities reported and five published Vulnerability Notes.
My assumption is most of those 33 are the 25 vulnerabilities Lluis Mora submitted from his OPC research presented at S4. I know of one other researcher that has submitted a vulnerability complete with remote exploit code to US-CERT / CERT/CC.
3) Procurements Requirements Language – Gary Finco, INL
Good program, but nothing new in this presentation.
4) Applying NIST SP 800-53 to Industrial Control Systems – Stu Katzke (NIST) and Joe Weiss (Applied Control Solutions)
Joe starts with some general comments, SCADA is a misused term, difference between control systems and IT. I think we are past this discussion, at least for those who attend these events.
Finally getting to the meat – – an effort to extend SP 800-53, Recommended Security Controls for Federal Information Systems, to protect control systems. Should be completed “in the next couple of weeks”. Keith Stouffer will lead the effort to make the extended standards available to industry standard groups. “Would like to see convergence between the Government and Industry standards” for a consistent level of security.
It will be interesting to see how much the security in SP 800-53 is loosened up in these “extensions”.
A technical report comparing SP 800-53 to the NERC CIP will be out shortly, and don’t forget SP 800-82 Guide to SCADA and ICS Security.
5) Enhancing Control System Security in the Energy Sector – Hank Kenchington, DoE
SLAP is now OPSAID and is an open source project. More on that later in the conference.
DoE will issue a solicitation to fund new SCADA R&D projects this year.
Interactive Energy Roadmap will be an online source to track control system security projects. This is an opportunity for researchers and others with tools to gain a little visibility. You can enter your project, and pending approval, it will get added to the roadmap. This is also a place for someone looking for solutions. Check it out.
I’ve seen and heard this so I ducked out.
Control Systems Research Interest Group
This group has not received any traction in past years, and there is not a lot of evidence that it will after this meeting. A lot of the problem is there is no money in this effort and few vendors or asset owners that are willing to put resources in this group. Like a lot of these efforts it will likely take a couple of people to devote a lot of time to drive this.
A slight salvage to this session is a presentation from the University of West
ern Floria that they call multi level agent technology. The concept is the code would be mutated so there would be multiple versions of the code in the device. Data would be sent to all mutated agents and they would vote on the result.
An example would be a buffer overflow attack on vulnerable code. It may be successful on one of the mutations, but cause the others to crash. This doesn’t prevent a crash, but the crash would identify the problem and the need to patch the code.
This is probably completely impractical, but it was a new idea, at least in this space, presented with good technical detail and implemented and proven for an application and a buffer overflow attack. Well done.