I just returned from 3 days at the RSA Security Conference in San Francisco. This is billed as the world’s largest cyber security conference. There were more than 18,000 attendees with more than 200 speakers. I want to personally thank RSA for recognizing the ICS community with 5 sessions on control systems and Smart Grid. The sessions were:
- CIP Take 2 – Where will the race to compliance lead us – Jon Stanford- BPA, Joe Weiss-ACS
- Hacking the smart grid; the myths, nightmares, and professionalism – Gib Sorebo-SAIC, Matthew Carpenter-Inguardians, Matthew Franz-SAIC, Seth Bromberger-PG&E
- Smart Grid Security Standards- Darren Highfill, Bobby Brown-Enernex, Matthew Carpenter-Inguardians, Annabelle Lee-NIST
- Cracking Down SCADA Security – Jason Avery-TippingPoint
- What makes infrastructure critical and how is IT increasing the risk – Laurent Webber-WAPA, Michael Echols-SAIC, Jon Stanford-BPA, Joe Weiss-ACS
I didn’t have a chance to attend all of the sessions because of scheduling conflicts. As best as I can tell, there were fewer than 10 control system personnel that attended including speakers - the rest were IT.
I wanted to discuss my observations of the Hacking Smart Grid and Cracking SCADA sessions. (Note - neither session had representation from the ICS community). During the Hacking Smart Grid session (http://www.wired.com/threatlevel/2010/03/smart-grids-done-smartly/), Matthew Carpenter made the following statements that I have real problems with:
- There have been no new cyber problems
- Pen test everything
- The biggest problem with Smart Grid is using AMI to remotely disconnect meters
All three of those statements have significant problems… in fact they are wrong.
There have been new cyber problems that are ICS-related including Hatch, Aurora, and according to the RISI data base and my own, well over 100 others - these weren’t IT. They were flatly cyber events that happened in Industrial Control Systems.
Secondly, pen testing legacy control systems WILL shut them down or do even worse. It isn’t a question of whether pen testing will damage legacy control systems but when. I repeatedly asked vendors and experts alike if they had ever worked with non-windows embedded controllers like PACs and PLCs. Uniformly the answer was “No.”
I believe the most significant cyber issues with the Smart Grid are the vulnerabilities introduced into the grid, itself, and not turning on or off meters.
If what Matt Carpenter said is indicative of what he really believes, one really has to question the technical underpinnings of the NIST Smart Grid efforts. As an aside, I was asked by GAO about my thoughts on Smart Grid and the NISTR. I have been heavily involved with NIST for years on SP800-53 and SP800-82 efforts (non-Smart Grid) and have the utmost respect for NIST’s capabilities. I wish I could say the same for the Smart Grid efforts.
Jason Avery of Tipping Point talked about hacking SCADA. Consequently, I asked him the following questions:
- Did you look at non-Windows devices – NO
- Did you address system-of-systems issues – NO
- Are you aware of control system issues with SCADA systems – NO
I don’t know about Jason Avery, but it would have embarrassed me to admit to such ignorance.
Once again, we come smack up against the problem that there are very few industrial cyber security experts. Hopefully, this is something my book will help to fix.
It really doesn’t look like we’re making real progress in Industrial Control System security yet, does it?
Joe Weiss
