Blog

Thursday, August 14, 2008
Blog Home

ACS Cyber Security Conference Wrap-up

Dr. Nate Kube and myself attended the Applied Control Solutions Conference last week in Chicago, and it was an interesting event to say the least. Joe Weiss, the organizer of this event, has always done well with a “central theme” in such events, and this year was no exception.

Initial Impressions:
  1. The conference opened with a video presentation from US Congressman Langevin, and it is clear that the issue of SCADA and control systems security are an important issue to him and the US Government. See the video hereI was surprised at the number of IT folks there, from a number of different walks.
  2. From the conversations with such people, it was clear that a number of IT people are really wondering what to do. I asked a simple question during my presentation regarding how many people were IT related, and I would say 75% of the people there raised their hands.
  3. There were a number of government, national labs, and other government related people present, though notably I am not aware of anyone from DHS present at the event.
  4. There wasn’t much technical rigor at the conference, in terms of the number of sessions, but there were lots of updates from important government and regulatory related efforts such as InfraGard, NIST, NERC, FERC, and others.
  5. There continues to be a high amount of interest in a CERT for control systems, or a related private industry function, but we really are no further along in decided whether or not industry thinks disclosure is a good idea, or how to do it.
  6. I did hear a disturbing message in that a number of asset owners are now “testing” their security, and using the information as leverage against vendors. While I do support the concepts of testing and working with the vendors to deal with issues, there does need to be a high level of technical rigor on such tests, and some measure of vetting so that vendors are not plagued with a high level of false positives, and asset owners are not plagued with a false sense of either security, or insecurity. We need to be very careful when basically arming everyone with such information, and there is still, in my mind, a high need for independent trusted third parties to help vet such data.
As I mentioned in last week’s blog article, we conducted a demonstration of compromising a safety system. Our presentation, where we crash trains after taking out a safety system and then the controller, was a “smash” hit (pun intended). We did not do a demo live, but did present the videos of the attack, and an in depth discussion about how the attack was conducted. From our perspective, the attack was very simple (UDP fuzz and a LAND attack… yes, a LAND attack), but the message came across loud and clear to the audience. I think that the audience was shocked at how just little time it took us to discover and conduct the attack. As Nate eloquently put it, it took more time to put the little trains on the tracks than it did to disable the controllers.

I hope to get the presentation up on the web shortly, but the videos at last measure are over 300mb in size, so I have to do a bit more work to get them suitable for web viewing, and then the presentations will be up for all to enjoy.

Posted by: Bryan Singer