OSINT analysis of U.S. capabilities to attack industrial control systems

I'm very pleased to announce that Sean McBride, co-founder of Critical Intelligence, is our latest speaker at Suits and Spooks Boston. With Sean's addition, we'll have the most aggressive set of talks on how to take down critical infrastructure that I've ever seen at any security conference. Here's a summary of Sean's presentation:

Title: OSINT analysis of U.S. capabilities to attack industrial control systems

Critical Intelligence provides industrial control systems (ICS) security stakeholders with actionable intelligence pertinent to protecting information assets that operate physical critical infrastructure. This presentation, which fuzes official military doctrine, state department leaks and sanction lists, control system vendor forum comments, online resumes, and traditional news reports, represents the most comprehensive OSINT effort to characterize the capabilities of the United States government to attack ICS undertaken to date.

Before coming to Critical Intelligence, Sean instituted and led the situational awareness effort for the Department of Homeland Security (DHS) Control Systems Security Program (CSSP) at the Idaho National Laboratory (INL).

The complete agenda and registration information for Suits and Spooks Boston is here. We only have a few seats remaining so register today and don't miss this opportunity to get no FUD, in-depth, solid information on offensive tactics against CI.

Add to Cart View detail

15 Attack Plans To Disrupt or Destroy U.S. Critical Infrastructure

On October 18, 2012 at the Larz Anderson Auto Museum in Brookline, MA, I've invited 15 subject matter experts who will provide unique offensive attack plans designed to disrupt or destroy water, power, transportation, communication, healthcare and banking systems; i.e., the nation's critical infrastructure. There will be no media in attendance nor will any of those presentations be made available to the public. Only the attendees of Suits and Spooks Boston will hear those plans along with the vulnerabilities in each sector that make those plans viable.

This is the most ambitious Suits and Spooks event that I've held to date and the reason why I've organized it is because there's a serious lack of information among decision makers in the public and private sector regarding actual vulnerabilities. Instead what's most often heard are inflated threats of a "cyber 911" or a multitude of technical exploits involving SCADA software and hardware that only about 5% of the population understands. It's impossible to develop effective solutions without first understanding the reality of the threat landscape surrounding critical infrastructure. At SNS Boston, our experts will present offensive tactical plans in precise, non-technical language. I can promise you that the information communicated to you on October 18th will cause you to shift your thinking around security in profound ways. Dale Peterson, for example, will show you how an adversary could take out thousands of power plants around the world and disrupt large parts of the electrical transmission system. Suits and Spooks Boston will be the first time that such a plan has ever been presented.

A few of our subject matter experts include:

COMMUNICATIONS: Mr. Henry Shiembob, Executive Director Cyber Security & Fraud Operations, Verizon.

WATER: Mr. John Sullivan, Chief Engineer at the Boston Water & Sewer Commission; member of the board of directors at the Association of Metropolitan Water Agencies and Chairman of the board of managers at the WaterISAC.

POWER: Mr. Dale Peterson: Dale is an internationally-renowned SCADA security technologist. In addition to his widely read SCADA security blog Digital Bond, Dale has written two Protection Profiles for NIST’s PCSRF, many whitepapers, magazine articles and presentations.

BANKING: Mr. Phil Rosenberg: Director, Deloitte Financial Advisory Services; 39 yrs experience in the collection and analysis of strategic policy relevant and actionable financial intelligence for banks, corporations, and governments.

HEALTHCARE: Mr. Christopher Burgess: COO and CSO, Atigeo; Prior to joining Atigeo, Burgess was senior security advisor to the CSO at Cisco. He also served 30 years within the Central Intelligence Agency, from which he retired and was awarded the Distinguished Career Intelligence Medal.

PHYSICAL PLANT SECURITY: Mr. Rob DuBois: Red Team Operations Manager and Author of “Powerful Peace; A Navy SEAL’s Lessons on Peace from a Lifetime at War”

We are capping our attendance at 130 and limiting our sponsors to no more than 5 in order to provide maximum benefit to everyone who participates. Our current sponsors include Basis Technology, RecordedFuture, and LookingGlass Cyber Solutions (there are two remaining if you're interested). If you register to attend SNS Boston by August 18th, you can take advantage of the super early bird rate of $195, which is a savings of $200. Complete information including how to register is available here.

Add to Cart View detail

Learn how to Take Down a State's Power Grid, Transportation System, and Other Critical Infrastructure

President Obama wrote an Op-Ed piece for the Wall Street Journal last Friday which described a catastrophic attack against the transportation and water sectors of our nation's critical infrastructure. He then pressed for passage of comprehensive cyber security legislation. While Congress and the White House have a sense of what might occur, they don't seem to be aware of the technical vulnerabilities involved or they would know that none of the current cyber security bills pending in Congress could stop such an attack even if they were enacted into law.


Therefore I've decided to invite some of the world's leading experts in protecting critical infrastructure to present how they would mount an offensive attack against their respective industry sectors at the next Suits and Spooks anti-conference to be held October 18th, 2012 in Brookline, MA. For obvious reasons, this event will be closed to the press and none of the presentations will be made public. 


One of our speakers will be Dale Peterson, the founder of Digital Bond, Inc., a control system consulting and research firm that also hosts the most visited SCADA security site and the S4 conference. He began work on control system security in 2000 after beginning his security career as an NSA cryptanalyst. In his presentation for Suits and Spooks Boston, Dale will provide detailed scenarios on how how an adversary would take out thousands of power plants around the world or large parts of the electric transmission system. 


Another one of our speakers will be Rob DuBois, a retired U.S. Navy SEAL and current manager for Red Team operations at a U.S. defense contractor. Since the threats aren't only digital, Rob will walk the audience through how a highly trained team would mount a physical attack against a key facility.


Our keynote speaker will be Dr. David A. Bray who currently serves as Principal Strategist and Senior National Intelligence Service Executive with the National Commission for Review of Research and Development Programs of the U.S. Intelligence Community. Prior to joining ISE, Dr. Bray served as a strategist at the Institute for Defense Analyses and the Science and Technology Policy Institute. In 2009, he deployed to Afghanistan as a Special Advisor to STRATEGIC EFFECTS for NATO’s International Security Assistance Force and U.S. Forces Afghanistan, with the task of helping to “think differently” on critical strategic efforts. Dr. Bray also served as IT Chief for the Bioterrorism Preparedness and Response Program at the U.S. Centers for Disease Control and Prevention, where he led the technology aspects of the bioterrorism program’s response to 9/11, anthrax in 2001, SARS, and other outbreaks. 


This will be the fourth Suits and Spooks event since I first started holding them in September of 2011 and it may be the most critical one yet. The information that will be shared on October 18th by our speakers (a complete list is available at the website) will clearly lay out offensive options that could wreak havoc on up to six key components of critical infrastructure - water, power, transportation, communication, health care, and banking. Due to the timeliness and the importance of this topic, we're going to cap attendance at 130 instead of 100. If you'd like to be part of this history-making event, registration begins today.

Add to Cart View detail

An Open Source Offensive Methodology To Attack Critical Infrastructure

The goal of this article is to demonstrate how attackers with moderate skill levels can cause disruption to outright destruction of critical infrastructure installations around the world at low cost and in relatively short order. Contrary to popular wisdom, an attack against a nuclear power plant or hydro-electric plant doesn't require long periods of time nor the resources of a nation state. All that's required is some open source research based upon the findings of S4's Project Basecamp, familiarity with how to use Rapid7's Metasploit Penetration Testing Software, and one or more individuals with engineering training in Industrial Control Systems.

Project Basecamp identified four Programmable Logic Controllers (PLC) with major security flaws made by GE, Koyo, Rockwell, and Schneider:

• GE D20
• Koyo DirectLOGIC ECOM
• Rockwell Automation ControlLogix
• Schneider Modicon Quantum

The vulnerabilities discovered in each of those devices have become Metasploit modules which penetration testers can use against their own network to demonstrate vulnerabilities that need to be fixed. Metasploit, while a valuable tool for security engineers to "sell" needed improvements to their employers can also be used by bad guys to attack networks. In this case, the above modules have simplified the process for not only launching an attack against a utility operator but also in identifying which utilities to attack by doing some open source research. Once you know that you can exploit a particular device, it's relatively easy to use a search engine and identify which utilities use that device. Those companies then become your target list. For example, Capula Nuclear is a GE technology partner that uses the D20, D25, D200 and D400 Remote Terminal Units for 65 substation control systems across the U.K's power grid. That means that a major act of sabotage could be perpetrated against Britain's grid by a hacker with intermediate process control engineering knowledge for the price of a single Metasploit license.

Schneider Electric's customers include the Three Gorges Dam in China (the world's largest hydro-electric power plant) and multiple utilities in France, India, the U.S., Spain, Australia, Brazil, Italy and many other countries - any of whom may be susceptible to attack via the Metasploit module for Schneider Electric.

This is literally a disaster waiting to happen. The above vendors along with Siemens (who wasn't included in Project Basecamp because its S7 vulnerabilities were already well-known) have done nothing to remediate the disclosed vulnerabilities. The boards of directors of companies who use these products aren't forcing their CEOs to change them out for more secure devices. The U.S. Congress won't pass legislation requiring U.S. companies to stop using those devices because of political pressure from business interests who don't want to a) be "forced" to do anything and b) hurt their profits by spending the money needed to fix their networks. It's because of that cluster-f__k that penetration testing research like the Metasploit Framework exists and ironically it may be that same research which is used to bring harm to thousands of innocent victims who rely on their utility companies to provide critical services. 

Add to Cart View detail

The President's Cybersecurity Legislative Proposal Has No Teeth

On May 12, the White House announced its Cybersecurity Legislative Proposal to Capital Hill via a blog post by Cybersecurity Coordinator Howard Schmidt. I reviewed the section on critical infrastructure on my flight back from DC after speaking on this topic at the Cyber Security Strategies Summit. Predictably it's all bark and no bite. To wit:

If the Secretary determines, after conducting such a review, that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks, the Secretary may:

(A) enter into discussions, or request another agency with sector-specific expertise to enter into discussions, with the owner or operator of the covered critical infrastructure on ways to improve the cybersecurity plan or the evaluation, which may include the provision of technical assistance;

(B) after discussions permitted in subparagraph (A), issue a public statement that the covered critical infrastructure is not sufficiently addressing the identified cybersecurity risks; and

(C) take such other action as may be determined appropriate by the Secretary;

except that the Secretary shall not, in enforcing the provisions of this Title, issue a shutdown order, require use of a particular measure, or impose fines, civil penalties, or monetary liabilities on the owner or operator of the covered critical infrastructure as a result of such review"

To put this in proper context, imagine that this proposal had to do with any other type of infrastructure: a bridge, an oil pipeline, your house. And let's say that the general contractor for that bridge project doesn't comply with the requirements. What happens then? He could get a stern talking-to (Section A); possibly get some publicity (Section B) which would probably land him a guest spot on Fox news as the little guy standing up to Big Brother's unreasonable demands that make it impossible for him to earn a living; or be subject to some other unidentified action (Section C).

Now here's what cannot happen to the builder of that bridge that you and thousands of others drive across twice a day:

• He cannot have his project shut down for non-compliance. 
• He cannot be fined for non-compliance. 
• He cannot be held financially responsible if the bridge collapses and people are killed or injured. 
• He cannot, essentially, be told what to do. 

This is clearly a ludicrous scenario for any type of physical infrastructure which is precisely why builders get fined, sued, or arrested and prosecuted if they don't comply with the law. However in the upside down world of "cyber", it's par for the course even when we're speaking about critical infrastructure (telecommunications, energy, financial services, water, and transportation sectors).

Let's move from the example of a bridge to one of a power plant. In the real world, the government regulates the construction of every aspect of a nuclear power plant or a hydro-electric dam except one: the protection of its networks. That's neither rational, nor responsible. The federal government must find a way to bring cyberspace into its existing authorities because if something is truly "critical", compliance cannot be voluntary or somebody doesn't know what "critical" means.

Add to Cart View detail