The ICSJWG meeting was this past week in Denver, and the schedule was packed with great presentations, and speakers with a wealth of experience to share with the ICS community. There was a significant bump in attendance this time around. Attendees were from a mixed bag of industries and sectors, we had vendors and owners, oil, gas, electric, manufacturing, and the usual faces from the ICS community. This was my first time attending, and enjoyed myself thoroughly.
This year’s keynote was given by Billy Rios, of Spearpoint Security. Billy is known for a take no prisoners approach to security, demonstrated by the 1,000s of bugs he and business partner Terry McCorkle have reported over the past year to ICS-CERT. The keynote was an exploration into the mind and motivations of security researchers, why they spends hours of personal time meticulously analyzing commercial products for vulnerabilities, why many make use of public disclosure as a tool to get issues fixed, and touching on the controversial exploit market as well . The major point the community debated on during week was that vulnerability research is both an established business and a means to promote a brand. In this business is market pressure to sell vulnerabilities to other ‘interested parties’, and often these transactions won’t reach the light of day, meaning the product stays vulnerable. This contrasts with the promotion of a brand, where researchers can establish their credentials and capabilities by publicly disclosing issues, and get issues fixed. A good keynote generates controversy and discussion over the entire conference, and Billy’s had that effect.
With three separate tracks each presentation hour, I didn’t have the opportunity to see every presentation. However, one of the more interesting presentations I was able to attend was “ICS Challenges in Naval Surface Combatants”, given by two US Navy professionals. The presentation talked about improvements in new classes of warship, and how automation was providing a significant benefit in naval control systems. Acquisition and certification of the naval ICS is a challenge the US Navy will face in it’s new warships, and cyber security is a large part of those challenges.
Panel discussion for Day 1 discussed interoperable standards for ICS security. Each panelist was given time to present components of their research, and then opened to the floor for questions. I got involved in the discussion at one point, regarding a developing proposal for interconnecting new and existing control systems over common carrier. I’m all in favor, as this could provide a significant cost savings for many types of critical infrastructure. It obviously has security implications as well, but my main focus was on ensuring that connected control systems would have a guaranteed level of service, so that there would be a reasonable expectation of appropriate latency, message delivery, and timeliness. Different control systems have different requirements, and it would be detrimental to use a common carrier without ensuring communication requirements could be met to a certain standards. The communication standards for different types of control systems would need to be addressed, otherwise owners could consider the approach too great a risk. Cost savings alone merit further study here.
Day 2 started out with a lively presentation by Mark Fabro, where he discussed how our normal use of probabilistic risk was not appropriate to the cyber domain, and how using a capabilities model would be more representative of the threat environment. Mark also advocated the use of attack trees when modeling how attackers would interrupt your process. The attack tree discussion was a fascinating dive into the mind of an attacker, and even had some references to the much maligned “Live Free or Die Hard”. Joel Langill, the SCADAhacker, followed Mark with a solid 101 networking presentation for the more automation minded, the main theme being how basic networking practices can give security benefits.
Day 2’s panel was “Separation or Unification”, which discussed the implications, and fallacies, around the separation of control systems from the rest of the world. I would discuss in more detail, but most of my attendance was towards the tail end, which consisted of a lot of binary discussion. Binary, in the sense that something was either wrong and should be removed completely from ICS, or right, and should be used everywhere. I would welcome comments from other attendees regarding this panel.
There was also this guy named Michael Toecker that gave a talk on the Microsoft Attack Surface Analyzer tool.
Ed: Fixed incomplete statement regarding exploit market 10/19 @ 10:00