I was very happy to see the recent S4 Conference validate what I have been saying for more than the past 10 years about the cyber vulnerability of control system devices. The S4 Conference opens some very serious questions about the effectiveness of DOE and DHS in securing critical infrastructure. Dale Peterson had publicized the Basecamp project for many months. Yet neither DOE nor DHS took any proactive steps to either do testing on their own (isn't that what our tax money is for) or to become part of the Basecamp project. The Basecamp team was able to perform this very good work within two months, without government support, and with some individuals who were not control system experts.
A quick summary of the inadequacy or worse from DHS:
- ICS-CERT issued advisories after S4 made them public. With this kind of response, maybe all ICS-CERT needs are links to websites and newspapers.
- The best DHS did for Stuxnet was issue useless information. The worst was to advise
end-users to take actions they KNEW would not address Stuxnet. Why did DHS and ICS-CERT not provide appropriate information?
- Stifling reports on a water SCADA hack from February 2011 identified (and confirmed) in a Linked-in site. What is DHS trying to hide?
- On August 1, DHS issued a bulletin on the Anonymous hacker
group -DHS Bulletin: Anonymous/LulzSec Has Continued Success Using
Rudimentary Hacking Methods:
"Anonymous has stated its intent to target companies related to certain Critical
Infrastructure / Key Resources sectors. Future attacks are likely to continue but will likely remain limited in scope due to a lack of advanced capabilities. Some members of LulzSec have demonstrated moderately higher levels of skill and creativity that include using combinations of methods and techniques to target multiple networks. This does not take into account the possibility of a higher-level actor providing LulzSec or Anonymous more advanced capabilities. Therefore, it may be advisable to adjust monitoring of both internal and external resources for indications of a pending or ongoing attack on cyber or telecommunications networks." You don't need to be a nation-state or has that fact escaped DHS?
- The DHS butchering of the Illinois water hack incident where DHS made the claim there was no evidence of a cyber attack. What they didn't say was there was no evidence there was no cyber attack. There are no control system logging or forensics to provide the needed evidence. However, when a utility states they have OBSERVED glitches in remote access to SCADA for more than 2-3 months, one should wonder. What is DHS trying to hide?
In September INL issued the report Vulnerability Analysis of Delivery Control Systems (INL/EXT-10-18381) dated September 2011 (http://energy.gov/sites/prod/files/Vulnerability%20Analysis%20of%20Energy%20Delivery%20Control%20Systems%202011.pdf)
for DOE. For years, DOE and INL have focused on the security of SCADA systems with much less focus on field devices (RTUs, IEDs, PLCs, etc). This decision was made despite the fact that field devices are inherently less secure and compromises of these systems can lead to significant, long term outages. Ignoring RTUs, IEDs, and PLCs does not make sense when one considers the many known vulnerabilities in these systems. Moreover, the ACS Conference (taking control of a VxWorks-based RTU within 2 days) and S4 Conference Basecamp projects demonstrate it is no longer necessary to be a national lab or nation-state to exploit these vulnerabilities. Why did DOE exclude these devices?
DOE and DHS are not utilizing appropriate industry expertise or attend conferences where real results are discussed. DOE and the utilities are now starting a joint effort to secure the Grid. Yet, recently, the utilities voted down Version 5 of the NERC CIPs. Many of these devices that have been demonstrated to be so vulnerable would not be addressed by the NERC CIPs.
Who is responsible for protecting critical infrastructure?
Joe Weiss
