Note: This week has been full of depressing events, and our main hope is for everyone to get through this safely. The future will be brighter, and let’s use some of this time of isolation to figure out what we want and start creating it.
Making Six S4x20 Ideas Happen
You attend a conference. Let’s even say it is a great, inspiring conference full of new ideas (ahem … S4). You head back home, and it is all to easy for your day-to-day challenges to overwhelm any thoughts of pursuing even the ideas you thought had merit.
So one of areas of focus at S4 Events is to help push some of the promising ideas forward, and hopefully have some progress to report at S4x21. Here are the top six that we are reaching out to help make happen.
1. What To Patch When?
We know there are often 1,000’s of security patches missing in an ICS. We also know that applying most of these patches will have little or no impact on cyber risk, and there are a small number where applying the patch will result in significant risk reduction. At S4x19 Art Manion of CERT/CC proposed a decision tree based answer to the what to patch when question. At S4x20 the approach progressed, and we showed how using the asset inventory and the decision tree could automate the decision process.
Now we need to actually make this happen. The decision tree and 4 of the 5 factors are available. What is missing is a feed that rates how exploitable the vulnerability is (DHS CISA?) and asset owners who want to pilot this approach.
2. Incident Command System for ICS (ICS4ICS)
This idea came from Megan Samford who experienced how an Incident Command System and pre-planning allowed states, first responders, electric utilities and others to pitch in during major incidents such as a hurricane. At S4x20 Megan proposed ICS4ICS. At first blush this appears to be something that would be government led, but who knows? With DHS and CISA pushing for state and local involvement in cyber security this seems like a perfect project. Can we create an equivalent set of resources ready to step in when something really bad happens to the critical infrastructure?
3. Pwn2Own for ICS (Offensive Testing)
Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition to ICS at S4x20. Top offensive talent found a number of exploitable vulnerabilities (and the contestants won $280K). While most of the work in continuing Pwn2Own Miami is ZDI’s, the community can help by encouraging the key applications and devices to participate. Or maybe even donating some hardware so PLC’s can be part of the next competition. The goal is to find and fix these vulnerabilities.
4. Practical Use of SBOM’s in ICS
Allan Friedman and others have been promoting the need and methods of creation of a software bill of materials (SBOM). It is easy to understand the importance and value of knowing what is in your systems, whether you are the asset owner, integrator or vendor. The question the panel addressed at S4x20 was what would the asset owner and vendor do with an ICS SBOM if/when it exists. A SBOM will be a lot of information, and it is only of value if it is used for a useful purpose.
5. PLC Secure Coding Practices
Any good security development lifecycle will have secure coding practices. Some of these are enforced by development tools and others through the developer’s diligence. Well there are similar secure coding practices for PLC’s and other Level 1 devices … or at least there should be. They are rarely documented, taught or followed. Jake Brodsky gave some great examples in his Stage 2 session. This is such an obvious, and almost universally ignored, need. Let’s do something about it.
6. Expanding The ICS Security Community
At S4x19 we created the one-day OnRamp Workshop to get newcomers up to speed fast on what they needed to know to participate in ICS cyber risk discussions. It was 101-level content. At S4x20 we held a similar 201-level Workshop called The Highway. These are both being offered online at no charge in 4 – 8 week Workshops along with videos, discussion boards, Q&A and bonus articles, audio and video. The workshops are not designed to be replacements for the more in-depth and hands on SANS, ISA, and other courses. They are valuable for those new to ICS security and those that are in related fields. People who won’t be ICS security professionals, but still participate in cyber risk discussions. Engineers, management, IT, executives.
I’ve started reaching out to people to see if we can get some pilots and publicity on these efforts. If one of these six is of interest please reach out to me or put something in the comments.
We are also tracking and trying to build on the S4 Charity Water Campaign. We have raised a total $51K in the last two S4 Events. The first $20K is already in the field refurbishing wells in Eastern Uganda, and we will hear where the next $30K is being allocated. We will be getting GPS coordinates and other updates to see how the campaign has provided clean water sources that will last decades for well over 1,000 people.