giant

There has been a common theme in cyber security to have great discoveries follow on the heels of new tools. This situation exists in the sciences in general, and has been described by Isaac Newton, Stephen Hawking, and others as “standing on the shoulders of giants”, where the giants are those who have come before, often cutting their way through dense jungle, so that we can pick up the machete ourselves and continue, potentially making great discoveries in the process.

What’s even better is when a new tool comes along that opens up a new facet of cyber security to inspection and analysis. These tools transform complex concepts and science into commonplace analysis, allowing access to specialized science and technology that we had limited access to before.

A recent example is the Shodan search engine, a simple concept and large effort that allows researchers and others to search for internet facing systems, for whatever purpose they desire. Research using the Shodan search engine has uncovered unsecured SCADA, hundreds of thousands of vulnerable devices, potential misconfiguration, and other insecure situations. Without the Shodan engine, researchers that wished to look for these devices had to develop their own scanning and analysis infrastructure, not a simple task.

But, this is the past…  What future giants will help shape how cyber security, and ICS, research will move? And what tools should we be developing to move the needle on ICS Security progress?

A commonly shared opinion is that the opening of Radio spectrum to easy analysis will lead to new research on radio based devices, both in ICS and regular cyber security. With a large chunk of automation being supported by radio in the 900 MHz spectrum, the RFCat is a must. I’ve written up my review of my experience with RFCat training here, and @at1as does many training events during the year as well.

Second, bug hunting is often depicted in media as an ‘individual sport’ with an image of some researcher bent over a keyboard, hunting and pecking. Not only is this view false, it’s very damaging from a sustainability perspective; fundamentally, the vendors out there that don’t do much security testing think that decent testing requires lots of manpower. The real pros, like Billy Rios and Terry McCorkle, have an automated infrastructure where software goes in, is processed, and the results are easily analyzed after-the-fact for the really nasty issues. They find more bugs while drinking beer and playing with their kids than any hunt and peck search.

Last, we all know most automation devices are inherently insecure, with protocols that do not provide integrity, access control, or authentication to ensure commands issued are coming from appropriate sources.  So, we can make a finding like the one at the right, but what have we done to demonstrate this vulnerability? Well, we have some plugins with the Metasploit project for SCADA that can demonstrate this, much better than a simple one-liner in a report. (MTEdit: Uh, no production demonstrations, got it?)

So, my question to those who read: What tool should be developed for ICS Security that currently does not exist? What problem needs to be solved in a group manner before individual research can continue?

title image by Gage Skidmore