Wednesday, March 19, 2014

A Social Summary of SANS ICS Security Summit 2014

Since I went solo there's been less time for blogging but I hope to catch up a little with this mega post on the just-concluded, 9th annual SANS ICS Security Summit which took place in the Contemporary Hotel at Disney.

Where I can I'll include Twitter IDs, as for many of us, Twitter is how we stay abreast of what we find interesting and what we're thinking about in between real world meet-ups. (Note: I only include these when they're unique to the individual and not shared by a company or org.)

I won't cover all the talks because I didn't attend all of them, and I apologize to those presenters I don't cover here. Nor was I at "Game Night" (though I wish I was) which from what I heard later was a fantastic and grueling hack-fest that extended into the wee hours before champions finally emerged.

For those of us lucky to be at the hotel Sunday night, and to know what was going on, a four-act play called "Exposure to Closure" or "The Heist" penned by Ben Miller @electricfork was really something. With MC Tim Roxey @ScubaNuke providing intro's, transitions, and running commentary, all injected with equal parts wisdom and levity, and a cast of characters from the really-not-ready-for-prime time-SANSICS players, for me it was the highlight of the trip, even before the conference officially started.

The audience got to see, in four acts and sixteen scenes, the full sequence of an attack on a utility control center, the confusion, analysis and corporate squirming that ensues, and how it resolves relatively peacefully (in this case) in the end. Mark Fabro stole the show with a swift and spooky transformation from dweebish uber-geek to a credible threat to another actor's physical security.

Chris Sistrunk @chrissistrunk and Adam Crain @automatak kicked things off smartly as twin fuzzing brothers from different mothers providing an overview of the many flavors of fuzzing, and the DNP3 protocol and how it's being made more secure (less insecure).  At one point, Chris noted that with much of the initial badness having been attended to, "We're starting to look at the back yard and are finding it a bit overgrown. Some things are turning up there - like cars." They make a great instructor duo.

Then we had an analyst panel, moderated by John Pescatore @john_pescatore and including Bob Lockhart, Sid Snitkin and myself.  It seemed to go pretty well.

Eric Byres @tofinosecurity followed by thoroughly excoriating the concept of patching ICS systems and transitioned to a tour-de-force explanation of deep packet inspection (DPI) that, like a good Bugs Bunny cartoon, communicated on many levels.  Meaning: I think I understood most of it, but the more experienced folks around me seemed to get insights from it as well.

The presentation by Marc Ayala @ICS_SCADA and Eric Forner demonstrated an attack on a mini water pump which turned the stage momentarily into Sea World, serving as a warm-up act for Kyle Wilhoit's @lowcalspam real-world honey pot presentation the next day documenting how global bad guys pursued what they believed to be the control system of a far more substantial pump, constructed by Kyle, at a municipal water tower. We all learned a lot from these two presos.

Nadya Bartol @NadyaBartol presented on ICS supply chain security issues and by the time she was done, the scope and complexity of supply chain challenges to ICS became all-too-clear.  Ernie Hayden, sitting next to me, tried to lighten my mood by informing me that there are 127 BIOS vendors alone.

I missed the presentation on the new Global Industrial Cyber Security Professional (GISCP) certification, but in case you did too, I've put a link to it HERE.

The first presentation I made it to on day 2 was "Cybersecuring DoD Industrial Control Systems", during which Michael Chipley provided more content, pound for pound, than all of Monday's presenters combined. Each of his many slides was a universe in and of itself, and there were a multiverse of them. But that's the DoD we know and love, and Michael did a great job of plotting its progress, in which he plays no small part, from DITSCAP to DIACAP to the NIST CSF structure in which they're inserting, among other other things, the most up-to-date guidance on control system security.  As masterful conference MC & Chairman Michael Assante said afterwards, "leave it to DoD to build a model where elevators and anti-ballistic missile systems are in the same category."

I had a good lobby talk after that preso with Michael and Chris Blask @chrisblask. We were keying on how the I in ICS serves to exclude a big chunk of the systems and devices we all care about, and mused on whether the term would eventually transition to something more all-encompassing like Cyber Physical Systems (CPS), Internet of Things (IoT, though that's not quite right) or simply, control systems.

Then we had another panel session, this one on the framework of the moment, the NIST Cybersecurity Framework and its relationship to DOE's Risk Management Process guide and C2M2 family. The group included Ed Goff, Jason Christopher @jdchristopher and substituting for the snowed-in Samara Moore, Nadya Bartol. These three did a great job and now we all understand perfectly how these guidance documents fit together. Moderator Michael Assante pointed out, more than once, that Nadya's cogent and succinct statements qualified her for service in the Executive branch of government.

Air Force Lieutenant and famous writer Robert M. Lee @RobertMLee, author of the I-call-'em-like-I-see-'em 2013 article "The Failing of Air Force Cyber," and its companion piece SCADA and Me: a Book for Children and Managers, basically stole the show at this point. Not an expert, but rather a "lifelong learner," Rob reviewed the book's simple messages, and highlighted some of the more disturbing reactions to it, including:
  • A Pentagon General who told him "I keep your book on my desk and share it with management." Which led Rob to suggest to the SANS audience: "At some point in your career you must admit that YOU ARE MANAGEMENT." 
  • He also shared a one-star Amazon review along the lines of "I've been a nuclear engineer for 10 years and I got nothing out of this book."

Towards the end,  Rob said the book has been translated into multiple languages and then flashed the cover of SCADA y Yo: Un Libro Para NiƱos Y Directores. I'm not sure why that was so funny, but it sure was.

I mentioned Kyle's talk earlier, so that brings us to the penultimate preso, Stacy Cannady's overview of how OEM's can improve the integrity of their products despite the many threats they face, and vulnerabilities they can't help but include. It was very well done.

Of my own preso on Security Governance at utilities, all I can say is I wish it went more smoothly.  I should have known better, following a presentation on trusting and not trusting devices, that the slide-advancing pointer in my hand might turn against me.  I've got a solution though: I'm going to cut my slide count from 30 to 1, and who knows, maybe 1 is 1 too many these days.

I highly recommend you block off your calendar for the 10th annual version of this event next year. It's going to be on 1 April or thereabouts if I heard Mike right. This one was more educational and more fun than any conference I've been at in recent memory.

Andy @andybochman

No comments: