Who Needs a Zero-Day? "Plants are Insecure by Design" - Dale Peterson

Dale Peterson of Digital Bond is one of the most respected security voices in the Industrial Control System community. He runs an annual SCADA security conference called S4 that's always filled to capacity and he has equal credibility with the U.S. Intelligence Community (Dale's an ex-NSA'er) and the private sector. His blog post "Suits & Spooks vs. Engineers" is a great read because it underscores an important issue: security engineers talking exclusively to other security engineers frequently results in nothing getting done. Here's how Dale put it in his article:

Over the past ten years have seen dramatic increase in cyber security of a specific DCS or SCADA system occur in two different ways: 

(1) A CEO/COO determines that ICS security is a top priority. In this case the security posture improves dramatically in 2 to 3 years. The security posture is at a level that most in the ICS security community believes is near impossible or doesn’t exist. 

(2) The Operations team determines that ICS security is a top priority. In this case the security posture improves to an appropriate level in 5 to 7 years. Improving ICS security is much more of a time investment than equipment purchase, so with the right emphasis and diligence over years an Operations team can get there. 

So one key is to convince CEO/COO or those that influence CEO/COO that run SCADA and DCS that they need to get serious about securing their ICS. Convince them it is in their best risk management interest to devote resources to this and measure results. Unfortunately, we are reaching few if any CEO/COO at ICSJWG, WEIScon, SANS Summits, … or on this website. 

Of course it would help if those active in ICS security would stop “the soft bigotry of low expectations”. The security deficiencies from insecure by design to basic security implementation vulns are frequently bemoaned, but the same people who recognize the dire situation more often make excuses that call people or companies out to fix the real problem.

Please read Dale's entire article, and if you agree, please support Suits and Spooks Boston by registering to attend and spreading the word. And if you want to add your company's name to the event, we're still looking for one more corporate sponsor.

Add to Cart View detail

15 Attack Plans To Disrupt or Destroy U.S. Critical Infrastructure

On October 18, 2012 at the Larz Anderson Auto Museum in Brookline, MA, I've invited 15 subject matter experts who will provide unique offensive attack plans designed to disrupt or destroy water, power, transportation, communication, healthcare and banking systems; i.e., the nation's critical infrastructure. There will be no media in attendance nor will any of those presentations be made available to the public. Only the attendees of Suits and Spooks Boston will hear those plans along with the vulnerabilities in each sector that make those plans viable.

This is the most ambitious Suits and Spooks event that I've held to date and the reason why I've organized it is because there's a serious lack of information among decision makers in the public and private sector regarding actual vulnerabilities. Instead what's most often heard are inflated threats of a "cyber 911" or a multitude of technical exploits involving SCADA software and hardware that only about 5% of the population understands. It's impossible to develop effective solutions without first understanding the reality of the threat landscape surrounding critical infrastructure. At SNS Boston, our experts will present offensive tactical plans in precise, non-technical language. I can promise you that the information communicated to you on October 18th will cause you to shift your thinking around security in profound ways. Dale Peterson, for example, will show you how an adversary could take out thousands of power plants around the world and disrupt large parts of the electrical transmission system. Suits and Spooks Boston will be the first time that such a plan has ever been presented.

A few of our subject matter experts include:

COMMUNICATIONS: Mr. Henry Shiembob, Executive Director Cyber Security & Fraud Operations, Verizon.

WATER: Mr. John Sullivan, Chief Engineer at the Boston Water & Sewer Commission; member of the board of directors at the Association of Metropolitan Water Agencies and Chairman of the board of managers at the WaterISAC.

POWER: Mr. Dale Peterson: Dale is an internationally-renowned SCADA security technologist. In addition to his widely read SCADA security blog Digital Bond, Dale has written two Protection Profiles for NIST’s PCSRF, many whitepapers, magazine articles and presentations.

BANKING: Mr. Phil Rosenberg: Director, Deloitte Financial Advisory Services; 39 yrs experience in the collection and analysis of strategic policy relevant and actionable financial intelligence for banks, corporations, and governments.

HEALTHCARE: Mr. Christopher Burgess: COO and CSO, Atigeo; Prior to joining Atigeo, Burgess was senior security advisor to the CSO at Cisco. He also served 30 years within the Central Intelligence Agency, from which he retired and was awarded the Distinguished Career Intelligence Medal.

PHYSICAL PLANT SECURITY: Mr. Rob DuBois: Red Team Operations Manager and Author of “Powerful Peace; A Navy SEAL’s Lessons on Peace from a Lifetime at War”

We are capping our attendance at 130 and limiting our sponsors to no more than 5 in order to provide maximum benefit to everyone who participates. Our current sponsors include Basis Technology, RecordedFuture, and LookingGlass Cyber Solutions (there are two remaining if you're interested). If you register to attend SNS Boston by August 18th, you can take advantage of the super early bird rate of $195, which is a savings of $200. Complete information including how to register is available here.

Add to Cart View detail

Russia's Kaspersky Labs to Develop a Secure O/S for Critical Infrastructure and Military Use

A Russian IT news service has reported that Kaspersky Labs is developing its own secure operating system for use in industrial control systems. One of Eugene Kaspersky's competitors, Renat Yusupov of Kraftway, predicts that Kaspersky is "most likely developing a process control operating system where security is vital. It will probably be used in production, aviation, transport, energy, and may be used for military purposes."

While Kaspersky Labs hasn't made an official announcement, it has advertised for a requirements analyst and a senior security system designer for SCADA automated control systems. The ad which was listed with a HeadHunter website also said that Kaspersky is developing a new secure operating system.

Kaspersky has been in the forefront of investigating the Stuxnet, DuQu, and Flame attacks against Iran so the announcement that it's developing a secure O/S for the same types of systems that Stuxnet was designed to attack makes a lot of sense. Further, the quality of their security research plus the fact that Russia produces some of the best software engineers in the world suggests to me that this product could be in high demand - especially by its Rosatom customers. However, Kaspersky's close relationship with Russia's security services should also be considered by its potential customers. Under Russian law, the FSB could ask Kaspersky to include a backdoor in its secure O/S and the company would be required to comply. In fact, I can't imagine the FSB missing out on such an opportunity for intelligence collection against potential customers among the Commonwealth of Independent States, India, China, South Africa and others.

Add to Cart View detail