Observations from RSA, BSides, and GABA

Saturday, March 03, 2012

Joe Weiss


I attended the RSA Conference, BSides Conference, and the German American Business Association (GABA) cyber security meeting in San Francisco the week of February 26th.  

"SCADA security", critical infrastructure protection, and power grids were on many peoples minds.

However, many of those talking about those subjects did not really seem to understand its true issues: their focus was on protecting the control system network's connections to the Internet.

RSA: The RSA conference had every possible track except for one on control systems!  There were a number of vendors offering security solutions aimed at the SCADA market (that's progress).  

Stuxnet was being discussed by many without understanding the controller aspect. Most of the vendors were using technologies developed for monitoring IT networks and applying them to the "SCADA" networks.  There were very few vendors (none that I found) that were addressing the field controllers.

BSides: Monday February 27th a presentation was made: "SCADA Security: Why is it so hard?"

The presentation was illuminating in that it treated only the HMI part of SCADA systems and essentially considered them a subset of corporate IT. An unfortunate aspect was the discussion of patches. The presentation did not address the unique issues associated with patching control systems.

It made no mention that the operating systems used by many of the major control system vendors are modified versions of Windows for which standard Microsoft patches are not appropriate. There was also no mention of ISA99.06 Patch Management for Industrial Control Systems.

The presentation did not address field controllers. In fact, it assumed field devices did not have intelligence and could not be accessed. Both of these assumptions are wrong. There is certainly an opportunity for learning.

GABA: On Tuesday evening February 28th, I attended the German American Business Association (GABA) program: "Cyber-Security: The European and US Approach to a Common Challenge".  The speakers were:

Howard Schmidt, Special Assistant to the President, Cyber Security Coordinator at Executive Office of the President, White House

Prof. Dr. Norbert Pohlmann, Chairman TeleTrusT / IT Security Association Germany

Dr. Joerg Borchert, Vice President, Infineon Technologies

Kurt Roemer, Chief Security Strategist, Citrix Systems

Dr. Sandro Gaycken, Institute of Computer Science, Freie Universitaet Berlin, Germany

Highlights were:

- Dr. Gaycken made the point that in Germany government can regulate more forcefully than in the US, and stated in essence that German utilities had addressed cyber security. I found that surprising and doubtful - German utilities may have "addressed" the issue, but as the systems being used are not secure they certainly have not solved it.  From first-hand knowledge, German utilities are just as susceptible to control system cyber threats as any others including those in the US.

- Howard Schmidt mentioned that he had issues with the term "attack". Specifically, he didn't feel that a distributed denial of service was necessarily an "attack". I mentioned that most of the control system cyber incidents in my data were not malicious but still caused significant damage. Howard and I agreed that, if the lights go out, there is a problem regardless of whether it was malicious or not.

- I mentioned that "my head hurts from banging it against a wall" in terms of trying to get the message out about control system cyber security. Howard encouraged me to keep going (it's not his head). 

Even though we seem to be making progress on awareness, there certainly is a long way to go to actually understand the subject.

Cross-posted from ControlGlobal.com's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Possibly Related Articles:
Industrial Control Systems
RSA SCADA Stuxnet Infrastructure Security BSides Industrial Control Systems Joe Weiss Power Grid HMI GABA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked