ICS-JWG Fall Meeting 2012
The Industrial Control Systems Joint Working Group Fall Meeting 2012 is being held in Denver, Colorado this year, organized by the DHS ICS-CERT. Yesterday, Billy Rios from Spear Point Security kicked off the meeting with a discussion that included mention of vendors’ defensive postures and the exploit brokers out there. A couple other talks included speakers from Raytheon and the DHS. For someone that savors the technical meat at Infiltrate, Defcon and Project Basecamp, it seemed that was I was surrounded by vegans. For example, when one speaker was asked about whether or not their product thwarts common pass-the-hash techniques that can be used to enable APT related post-exploitation lateral movement from corporate to SCADA networks within ICS environments, the speaker explained that their product uses pass-the-hash and other mathematical techniques that he couldn’t discuss to defend networks. Huh. Also, a generational air gap seems to be in place here too, with most of the speakers at least twice the age of speakers leaning into fresh offensive (and some defensive) security topics at Blackhat, Infiltrate, etc. Cultural differences abound.
A talk later in the day about 13 ways to evade firewalls could be boiled into a few thoughts – XSS problems are enabled by SSL proxies, sneakernet exacerbates Usb security issues, and misconfigured firewalls are an issue within ICS environments. These are all a decade old discussions, but may have some insight for top level folks that have no exposure to 10 year old security issues. The unfortunate thing is that these sorts of vulnerabilities continue to be present within critical infrastructure environments.
The second day seems to be starting off with much more interesting talks. SCADAHacker Joel Langill’s talk on “Utilizing TCP/IP Addressing Scheme for Network Isolation” demonstrated the usefulness of subnet masking and the misunderstandings of implementing VLANs when enforcing network security policies. Joel runs a fantastic site, sharing links to information that provide complementary data to some of the ICS cyber-security consulting services that he performs.
Dr Nabil Adam from the DHS Science & Technology Directorate demonstrated the powerful modeling framework CEMSA that they have developed, providing ways to model and understand credible consequences of multiple interacting critical infrastructure disruptions. These consequences and disruptions evaluated here based on concrete data around US located industrial operations like chlorine gas plants and online network backbones are the shocking stuff that folks have speculated on for years as “cyber pearl harbors”. The difference is that this intelligence and data analysis is the real deal in its precision and comprehension of planned attack, cascading, and coincidental disruptive events. It goes beyond ICS environments, to help policy and decision makers understand and prioritize disruptive impacts. Currently available to “anyone interested” from US based government agencies.