OSINT analysis of U.S. capabilities to attack industrial control systems

I'm very pleased to announce that Sean McBride, co-founder of Critical Intelligence, is our latest speaker at Suits and Spooks Boston. With Sean's addition, we'll have the most aggressive set of talks on how to take down critical infrastructure that I've ever seen at any security conference. Here's a summary of Sean's presentation:

Title: OSINT analysis of U.S. capabilities to attack industrial control systems

Critical Intelligence provides industrial control systems (ICS) security stakeholders with actionable intelligence pertinent to protecting information assets that operate physical critical infrastructure. This presentation, which fuzes official military doctrine, state department leaks and sanction lists, control system vendor forum comments, online resumes, and traditional news reports, represents the most comprehensive OSINT effort to characterize the capabilities of the United States government to attack ICS undertaken to date.

Before coming to Critical Intelligence, Sean instituted and led the situational awareness effort for the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) at the Idaho National Laboratory (INL).

The complete agenda and registration information for Suits and Spooks Boston is here. We only have a few seats remaining so register today and don't miss this opportunity to get no FUD, in-depth, solid information on offensive tactics against CI.

Add to Cart View detail

Who Needs a Zero-Day? "Plants are Insecure by Design" - Dale Peterson

Dale Peterson of Digital Bond is one of the most respected security voices in the Industrial Control System community. He runs an annual SCADA security conference called S4 that's always filled to capacity and he has equal credibility with the U.S. Intelligence Community (Dale's an ex-NSA'er) and the private sector. His blog post "Suits & Spooks vs. Engineers" is a great read because it underscores an important issue: security engineers talking exclusively to other security engineers frequently results in nothing getting done. Here's how Dale put it in his article:

Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways: 

(1) A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist. 

(2) The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there. 

So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website. 

Of course it would help if those active in ICS security would stop “the soft bigotry of low expectations”. The security deficiencies from insecure by design to basic security implementation vulns are frequently bemoaned, but the same people who recognize the dire situation more often make excuses that call people or companies out to fix the real problem.

Please read Dale's entire article, and if you agree, please support Suits and Spooks Boston by registering to attend and spreading the word. And if you want to add your company's name to the event, we're still looking for one more corporate sponsor.

Add to Cart View detail

Et Tu, DuQu?

If Symantec and F-Secure are correct and DuQu was written by the same people who created Stuxnet, then that means that the U.S. government is behind it. But Idaho National Lab, who some people think created the Stuxnet virus and which hosts ICS-CERT's Security Operations Center didn't have a copy of the malware. They had to ask Symantec and McAfee to share their sample. The key question to ask in this puzzle is who has access to the Stuxnet source code? This post claims that Anonymous released the Stuxnet source code back in February however according to Mikko Hyponnen's latest post on DuQu that's not correct. Binaries were released into the wild but not the source code. Ralph Langner, who has done some of the best work on Stuxnet to date, has also told me privately that the source code has never been released. At best, some work has been done in reverse-engineering it. Knowing Ralph's singular focus on Stuxnet, if the source code was in the wild, he'd be the first person to grab a copy.

So if you believe the party line (which I don't) that the U.S. with the help of Israel created Stuxnet, then the U.S. is also the creator of DuQu. If we stay with that chain of reasoning, then as we learn more about DuQu and its use, an entirely different conclusion may be reached which points to an actor other than the U.S. DuQu was apparently involved in stealing information from an ICS manufacturer. Why would the U.S. use the Stuxnet source code to create a RAT to steal information from Industrial Control System (ICS) manufacturers? It already has access to most of the corporations who develop these systems through the National SCADA Testbed Project run by 3 U.S. national labs, including INL. At least one Command & Control server was hosted in India. Why would the U.S. pick India and not China, our favorite cyber adversary?

It's too early to know what DuQu is for, and no one knows where it came from, but facts are facts. The source code for Stuxnet isn't available in the wild, and if the same group is responsible for both pieces of malware, and you believe that the U.S. is behind Stuxnet, then you need to own the logical conclusion of that belief. If the facts around DuQu, now or in the future, point away from the U.S. then you need to re-consider whether the U.S. was ever involved in Stuxnet at all. After all, take a look at the part of the world that McAfee has identified as being DuQu's target area.

There are lots of nation states for whom this part of the world has significant appeal and who would benefit from a sophisticated info-stealing virus; in some cases much more than the U.S.

Add to Cart View detail