Today I had the pleasure to attend an SCADA Security Briefing sponsored by InfraGard, the Louisiana Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) and Cimation. The presenters were Special Agent Will Hatcher (FBI), Devin King (GOHSEP) and Marc Ayala (Cimation). There were about 20 attendees from Louisiana chemical companies, and ICS vendor, and the US Coast Guard.
The presentation by SA Hatcher was a good review of the change in the cybersecurity threat over the last 20 years or so (it was nice to hear someone talk about cybersecurity that remembers that hackers started out as phone phreakers, stealing service from Ma Bell). It was a fairly comprehensive review of changes in IT and ICS security issues over time. As one would suspect, SA Hatcher has had more experience with IT security issues, but he had a good understanding of recent ICS issues and looked at the DUQU-Flame-Shamoon as potential reconnaissance tools for future ICS attacks.
Devin gave an interesting presentation on the cybersecurity programs that he has helped develop for the Louisiana Fusion Center, one of the first cyber-fusion units in the country. Once again his main background is IT security, but, because of the large petrochemical industry in the State, there is a significant interest in developing ICS related cyber-security information sharing in the State Fusion Center. He noted in the presentation that he is getting significant information about cybersecurity incidents from State and local government agencies (about 50,000 reported cyber-attacks of all sorts per week), but nothing from the private sector. He solicited input from the audience noting that the unit was able to providing a variety of situational advisories and an extensive IP Blocking list.
Marc gave an interesting presentation on ICS security, having worked with ICS systems for a number of years. He included an interesting story about an ‘air-gapped’ control system that he had looked at that was based on an old-style pneumatic control system; the only problem was that the compressor supplying the control system air was a new-fangled, electronically controlled system complete with an internal web server.
Marc provided an interesting bit of information about the recent attacks on pipeline control systems. It seems that ICS-CERT updated their advisory (ISCA-12-136-01D) on their restricted server last week. The new version provides lists of files, versions and dates that have been found on affected systems; data that can be used to check computers for symptoms of attack. Marc pointed out that one of the files would look like it was a file for an Adobe file reader. This is a good reason for control system owners to have someone signup for HSIN access to that controlled server. (NOTE: I'm not signed up for this because of information sharing restrictions on their restricted information; not a good thing for a blogger.)
Marc also provided a demonstration of the results of a denial of service attack on an AB PLC. He had a nice HMI-PLC system setup that controlled a pump motor on the other side of the room. First he showed how he controlled the pump motor from the HMI via the PLC. Then he sent some random signals to an open port on the PLC simulating a DOS attack; it took just a couple of seconds for the pump to shut down. Even worse he showed that the DOS attack also resulted in the instruction set on the pump controller being erased so that it had to be reprogramed before the system would work again. Then he demonstrated how a firewall device protected the open port.
This was one of a series of these briefings being conducted around the State. There is another one next month in Lafayette, LA (watch Marc’s blog at Cimation for registration information). I would certainly recommend that facility owners and security officers consider attending. I would also recommend that other state organizations consider contacting Cimation or InfraGard to set up similar briefings.