Project Basecamp

While Kim Zetter’s Wired article had a sensational “Vigilante” teaser headline, it was a fair accounting of the presentation at S4. And I was very pleased that she captured a couple of key quotes on the “why” of Project Basecamp and our goal of making it a Firesheep moment for PLC’s.

Eric Butler’s Firesheep plugin for the Firefox browser made it simple for anyone who could operate a browser to hijack Twitter, Facebook and Hotmail http sessions in a coffee shop’s wifi. This security problem related to cleartext cookies that had not been addressed 2+ years after researchers disclosed it. After Firesheep the outcry from the users was so widespread that https quickly became a configurable option and in a few more months the default.

Eric Byres’ in his S4 recap mistakenly wrote that the Project Basecamp goal was to shame vendors into fixing the problem. We don’t expect vendor shame to result in any change. Our hope is that the resulting Basecamp tools, particularly the Metasploit modules, will make demonstrating the ease of compromise and potential catastrophic impact possible for any owner/operator, vendor, consultant or anyone else involved in ICS. C-level executives running the critical infrastructure SCADA and DCS will know beyond any doubt the fragility and insecurity of these devices. Hopefully they will find this unacceptable, demand their vendors offer a secure replacement, and spend the money to replace the PLC’s.

Admittedly this will take time, but ten years has passed already and there has been scant progress. If owner/operators don’t replace these PLC’s then the idea that these are truly critical systems that can never go down is a myth and significant fragility and insecurity is an acceptable reality. I covered this and more in my introduction to Project Basecamp.

Let’s look closer at the GE D20ME as an extreme example:

  • It is very widely used PLC in critical infrastructure ICS
  • The pSOS OS in the D20ME was end-of-life in 1999
  • The hardware is even more ancient, a 68030 processor from 1987
  • Many of the insecure by design “vulnerabilities” are well known by the vendor, ICS security “experts”, DHS and other government organizations around the world
  • This product is so fragile that it stops working if you even look at it wrong
  • Nothing has been done to address this in the TEN YEARS since the 9/11 attacks

This is a massive failure by everyone in the ICS community.

  • We can blame GE for not updating and continuing to sell this ancient, fragile and insecure product. GE even admitted they would not address security issues in this product in a Sept 2010 service bulletin.

AND

  • We can blame GE customers for not demanding and paying for a robust solution from GE or a competitor. They get off the hook a bit because neither GE, DHS, other governments, consultants, automation press or anyone else was being straight with the customer on how bad this situation is.

AND

  • We can blame DHS and other governments, who claim some responsibility for securing the critical infrastructure, for not applying pressure or providing honest information for ten years.

AND

  • We can blame consultants for accepting this fragility and insecurity. Consultants are suppose to be the experts who push customers in areas where they are uncomfortable and need a push.

I’m not suggesting that Digital Bond and me personally are not blameworthy as well. We have participated for the entire ten years and have not caused any change in this area. We have accepted that this should be kept quiet so no one outside the community knows how bad it is, and we have not pushed hard enough inside the community.

In my opening S4 remarks that you can see below I said, “What we have done over the last ten years isn’t working. We must try something different.” Basecamp is our different approach. We think it will get PLC security started and make a difference, but there is no guarantee it will be successful and many people I respect feel differently. My challenge to all of you in the industry, especially the “respected experts”, is what are you going to do that is significantly different than what has failed over the last ten years to make progress in ICS security?