The 12th ICS Cyber Security Conference was held Oct 22-25 at the Old Dominion University’s Virginia Modeling Analysis and Simulation Center – but did not quite go to plan…
Organizer and security expert Joe Weiss has blogged about the conference on the Control Global Unfettered blog. Although he discusses the conference in general, including observations such as “I found it disconcerting that more than 5 years after the Aurora [powergrid cyber-vulnerability] test very few of the critical infrastructure attendees understood the technical issues with Aurora,” most interest is nevertheless focusing on his comments on information sharing.
“Anecdotal evidence,” he writes, “shows that sharing of forensic cyber-incident information by vendors with their customers is insufficient, ranging all the way from at least one case of withholding information.” A Reuters report expands on the issues. “Two talks about a nuclear power plant’s potential vulnerabilities to cyber-attack were canceled after an equipment supplier threatened to sue.” The problem here was that the “vendor complained that the talks would have revealed too much information about its own gear.”
But this wasn’t the only information sharing problem. Weiss wrote, “There was a discussion of a project using Shodan with selected key words that found more than 500,000 Internet-facing control system devices all the way to device IP addresses.” But the research company “did not tell U.S. authorities where they were installed ”, says Reuters “because it feared being sued by the equipment owners.” This may or may not be related to the Unprotected backdoor into industrial control systems revealed last week – no-one is saying. But if not the same problem, it is undoubtedly a very similar one since the CoDeSys vulnerability affects any internet-facing device that uses it. Weiss continued, “An example of the information sharing difficulty is the researcher actually contacted a water utility when he found they had ICSs that were remotely accessible to anyone with an Internet connection. The end-user appeared to not understand the impact and essentially ignored the warning.”
This problem in information sharing is not simply one-way. Reuters also reports that attendees were “alarmed to learn that because the government has kept a technique it discovered for attacking electricity generation equipment secret for five years, potential targets had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves.”
But despite these difficulties, the conference itself was a success and will continue in future years. “Surprises (at least for me),” notes Weiss, included news that Stuxnet included a fifth Microsoft zero-day, and that “Flame was in the wild for more than 6 years before being discovered.”