Here is our list of the top ten stories rated by immediate and expected long term impact on the community.
An easy choice for number one. Even though we have had both control system and IT experts give apocalyptic quotes for years on how they could easily take down large parts of the critical infrastructure, nothing prior came close to alarming those outside the community as the video showing a cyber attack cause physical damage in demonstration power plant. Shaking and smoking trumps words.
Reaction in the community was mixed and tilts slightly negative. Our reaction was nothing new here. There are large numbers of vulnerabilities in control systems that combined with process knowledge can cause damage (and without process knowledge can cause denial of service). That said, there is no denying that this has gotten Congress involved, made an impact on control system security coverage in the press, and probably gotten a number of C-level executives asking are we vulnerable to that attack I saw on CNN. Raising awareness is a good thing so in addition to being the number one story, we rate it a net plus for the community.
2) FERC/NERC/Congress and the NERC CIP’s
This top ten list is heavy on electric, but that was where the action was in 2007. FERC has been battling a bit with their ERO (NERC) primarily over lack of response to comments on the NERC CIP’s in December 2006. Lack of response led to a more official set of proposed changes published in a NOPR in July.
Given NERC/ERO’s approved consensus-driven / ANSI standards making process it is difficult to see how this would play out in FERC pulled out the hammer on the ERO. Whatever the result will be, it likely will take a lot of time. Hopefully, NERC/FERC and the Congressional overseers can find some common ground. Our recommendations have been to focus on providing more specific guidance on the existing requirements and developing audit tests with teeth that can be consistently applied.
Heaped on top of this discord was Aurora and Joe Weiss’s advocacy for dumping NERC CIP standards, which led to Congress getting involved in a more serious manner than previous hearings. Congress asks FERC hard questions and you know it rolls downhill. Even after this kerfuffle the NERC CIP train moves down the tracks with compliance requirements coming as soon as Q2 2008.
My guess is this will make the 2008 top ten list.
3) SCADA Presentations at Hacker Events
2007 marked the year when hacker events like DefCon, HITB, and Black and White Ball all included a SCADA presentation. This trend seems to be continuing in 2008. There was no real news made in any of these very basic presentations (some headlines and commotion but no real news) that were made circa 2002 at control system venues. That community is an inquisitive lot, and they will get better.
The obscurity argument continues to fade away, especially on systems purchased this decade.
4) Browns Ferry Incident
So many cyber related control system outages and other incidents remain secret, but NRC reporting requirements brought out the interesting case of a Safety Controller failure causing a Nuclear Plant to be scrammed. A safety VFD controller to stop responding “due to excessive traffic on the plant ICS network”.
Control system security pundits came down in two camps. One believed it was due to poor design of the switching and network infrastructure, and the other believed it was due to a protocol stack error that crashed went sent spurious traffic. We fall in the later camp because we have seen many controller Ethernet cards fail when lightly fuzzed or sent broadcast traffic.
5) Wurldtech, Mu and a dash of ISA
In 2007 Wurldtech Security Technologies introduced their Achilles Certification and Mu Security introduced their MUSIC Certification. Both companies use their test appliances to send thousands of legitimate, illegal and fuzzed packets at a control system device, typically a controller, to test the security and robustness of the protocol stack. To add a little spice to this competition, Eric Byres formerly of Wurldtech, joined Mu’s Advisory Board.
The good news for the community is that controller protocol stacks are getting tested, problems found and corrected, and asset owners have another information point for buying decisions.
Late in the year ISA got involved in the picture with their Automation Standards Compliance Institute (ASCI) Security Compliance Institute (SCI) that has a goal of creating an ISASecure certification program. This is off to a slow start and is looking at a two year timeframe for the first certifications.
Full Disclosure: Wurldtech was a Digital Bond client, and we assisted them in structuring and launching the Achilles Certification.
6) OPC Vulnerabilities
Lluis Mora and the team at Neutralbit sent 25 OPC server vulnerabilities to US-CERT in 2007. The affected vendors are slowly fixing these vulnerabilities which then are disclosed in vulnerability notes, NetxAutomation, Takebishi, and Gesytec.
Do the math. 25 vulnerabilities sent to US-CERT; 3 vulnerability notes; and over 20 OPC vulnerable servers implementations that the vendors have chosen not to fix a year later! Oh by the way, many still argue that we should trust the vendor to disclose and fix identified security vulnerabilities.
Neutralbit has made the tool available on a limited basis so asset owners can test their own OPC server.
7) Initial Steps in Regulation of the Chemical Sector
In 2007 DHS introduced Chemical Facility Anti-Terrorism Standards (CFATS). The current standards have very little to do with cyber security of the chemical plant DCS, about a similar amount as in the old Sandia RAM’s. However this becomes a regulatory vehicle that may be enhanced in the future to include more serious control system cyber security requirements.
Opinions on regulation vary greatly in the community, but it may be a trend to watch in 2008 as we are starting to see more action in Europe in this area as well.
8 Joe Weiss Unfettered
Love him or hate him, Joe Weiss moving from KEMA to form his own company, Applied Control Solutions, and more importantly become Unfettered, is a top ten story this year. Whether it is whispering in a Congressional staffer’s ear or shouting from the rooftops, Joe has significantly changed the NERC CIP debate. It will be interesting to see in 2008 he is successful in scuttling NERC CIP in favor of a ‘better’ standard.
9) Field Security Device Market
There is a saying in business school that there is not a market unless you have two vendors. In 2007 Byres Security and MTL introduced their Tofino field security device which joins Innominate’s mGuard product that has been out for years and sold in the 10,000+ quantity. These products’ primary purpose is a firewall, but they also can include IDS/IPS, VPN and anti-virus.
In October Hirschmann announced they would offer their own field security device rather than private label the Innominate product.
We are still skeptical about the size and viability of this market, but in 2008 we should have worthy products to test the market.
10) SCADA Security Scientific Symposium (S4)
Ok. We are a bit biased and want to give a shameless plug for S4 2008.
After years of frustration in high level, hand-waving, buzzword, 20-minute “technical presentations” dumbed down for a non-technical audience we felt compelled to create an event where researchers can present technical papers in detail to a technical audience. S4 2007 papers included most of the control system vulns disclosed in 2007, secure control system protocols, new security metrics and test methodologies, and methods and algorithms to detect attacks in control systems.
Seriously though, this control system security community is not going to advance unless a published body of knowledge and venues for researchers to discuss and collaborate results is available. If you doubt that, look at how little progress was made 2000 – 2006. I saw the same thing happen in the crypto world in the late 80’s / early 90’s. We already see in the S4 2008 papers that researchers are building on past results in S4 2007 papers. There is still a shockingly low level of worthwhile SCADA security research out there, and we look forward to the day when we are choosing between 50 or 100 respectable S4 submissions.
Happy Holidays and best wishes for 2008 to all of our loyal readers!!!