Thursday, November 18, 2010

Stuxnet Hearing

The Stuxnet hearing yesterday before the Senate Homeland Security and Governmental Affairs Committee was interesting for a couple of reasons. First it was one of the few informational hearings that I have watched where the congresscritters actually seemed to be interested in hearing what the witnesses had to say. Second the only political posturing came from one of the witnesses, none from the questioning politicians.

The Politics

Senators Lieberman (and Collins opted to have their official opening comments entered into the record without reading them, providing more time for the witnesses to talk and respond to questions. There was none of the typical speechifying questions; they were all short and to the point. The questions were intelligent, informed and actually sought information. If more congressional hearings were conducted in this manner, Congress might actually learn some things.

The witnesses all commended the Committee on their work on S 3480 and expressed their support for the legislation. None of them pointed out that the bill doesn’t specifically address the control system security issues that might have something to do with Stuxnet defense or mitigation.

The only real disappointment in the hearing was the testimony and responses from Mark Gandy, the sole industry representative. While Gandy works for Dow Chemical he was actually representing the American Chemistry Council. He could have provided some valuable insights about control system security issues from the user’s perspective. Instead he spent most of his time spouting the standard ACC chemical security political mantra; voluntary efforts, $8 billion dollars spent on security, support for current CFATS program, we have everything under control, etc. The exact same testimony could have been made at any of a number of hearings. It was a waste of the Committee’s time and contributed nothing to the Stuxnet, control system security discussion.

PET PEEVE RANT WARNING: How many times do we have to hear about the ‘$8 Billion dollars that ACC members have voluntarily spent on upgrading their facility security since 9/11’? First off the figure hasn’t changed in two years; surely the expenditures have continued. Second, your opponents don’t care about what has been done, they are interested in specific things they want to see happen, you need to discuss those issues if you don’t want the measures imposed upon you. Finally, in this instance that figure means little, how about telling the world what you have done about control system security.

Stuxnet Information

Sean McGurk, Acting Director, National Cybersecurity and Communications Integration Center, U.S. Department of Homeland Security provided some interesting political theater at the start of his testimony when he held up a USB drive and told the Committee that it contained Stuxnet. If true, I hope he keeps that drive locked up, it’s one drive we don’t want to see go missing. His opening remarks and printed testimony provided a good overview of the current DHS cyber security program and ICS-CERT as well as a pretty good, if brief, overview of the Stuxnet worm.

For those people who questioned what ICS-CERT was doing during the initial phases of the Stuxnet investigation, McGurk told the Committee about the efforts undertaken at INL to deconstruct Stuxnet in their malware lab. He noted that they set up a control system, complete with PLCs to watch what the worm did. It would be interesting to see a report on those efforts to see if they discovered anything that Symantec and Langner have reported about the worm.

I think the most important information about Stuxnet came from Dean Turner, Director, Global Intelligence Network, Symantec Corporation, in response to a question from Sen. Collins (R, ME). Turner told the Committee that there were 1600 unique Stuxnet infections in the US and that fifty of them were in systems that included Siemens control systems components. That is more than three times the last number that I’ve seen reported by Siemens world wide.

I would understand why Symantec would not publicly release the identity of those fifty systems, but I would hope that they have or (at least) will share that information with ICS-CERT. Given the difficulty in cleaning system of Stuxnet, it would be helpful if an ICS-CERT team would help insure that those fifty systems have actually been cleared of their infections.

Process Information

Sen. Coons (D, DE), the Committee’s newest member, asked a very interesting question. Given the testimony about the ability of Stuxnet to capture and report system information the Senator asked if this capability placed trade secrets at risk. All of the witnesses opined that yes, they thought that intellectual property was at risk. McGurk explained that Stuxnet accessed process history files which would allow an attacker to reverse engineer the development of the process.

I think that this issue might have been a tad bit overblown. The amount of equipment knowledge that an attacker would need to reverse engineer the process development from the computer commands sent to the PLC’s is immense. If the attacker had that sort of insider knowledge they would likely already have access to process development information. Besides, process changes are not based entirely on information obtained from measurement tools that are connected to the control systems. A major source of information driving process development comes from lab testing of in-process and final product samples. Without access to that information, there would be no understanding of the reasons that changes were made.

In his response to this question Turner explained that Stuxnet had the capability to install ‘back-doors’ on infected systems and those would allow the attacker to steal design information. It wasn’t clear if he was talking about the reporting capabilities that have been widely discussed in the reports on Stuxnet or a specific feature that could provide a new entrance to future access. If the later is the case, the close inspection of all Stuxnet infected machines (not just control systems) seems to be indicated.

Response to Stuxnet

Michael J. Assante, President and Chief Executive Officer National Board of Information Security Examiners, in his written testimony, provided the committee with a number of important recommendations to help protect critical infrastructure from Stuxnet-like attacks. His testimony should be required reading for every security manager with responsibilities for an industrial control system and for Congressional staffers preparing cyber security legislation for the next session of Congress.

One point that I think demands special attention (particularly when looking at recent SCADA vulnerability disclosures) is the need for a reporting requirement. In his testimony (pg 10) he notes that there should be a requirement for “critical infrastructure asset owners and control system vendors to report industrial control system specific security incidents and the U.S. government must provide up-to-date information to asset owners and operators on observed adversary tactics and techniques, especially when investigations reveal attacker capabilities to side-step or exploit relied upon security technologies.”

Sen. Lieberman asked each of the witnesses if they thought that the response to Stuxnet required voluntary or government mandated programs. Assante was the only one who unequivocally stated that DHS would benefit from additional authority, including a mandate for reporting of incidents. McGert’s reply was a particularly disappointing bureaucratic reply that he didn’t make policy, he just did what he was told. Turner recommended that Congress take measures to shore up the “existing voluntary communications channels”.

The best argument for increased DHS authority came from the representative from the industrial user community, Mark Gandy. He reported that industry was doing just fine thank you with their voluntary efforts, though he did note that the CFATS program would help counter this threat. This head in the sand point of view, if held by any significant portion of the user community (and I’m afraid that it does), provides the best argument of adding vigorous control system security requirements to any comprehensive cyber security legislation. If industry does not now recognize the potential threat to their control systems, and their completely inadequate preparations to prevent such an attack, then voluntary programs will no longer suffice.

S 3480 Status

On a final note, Sen. Lieberman did provide a brief, undetailed (I know that word is not in the dictionary, but I’m sure you know what it means) explanation of why S 3480 has not been (nor won’t be this session) brought to the floor of the Senate even though it has been ordered reported by his Committee. He noted that there were on-going negotiations with other committees with legitimate interests in the cyber security arena. He did promise that the bill would be re-introduced early in the 112th Congress.

When they hold hearings on that bill next year I hope that they bring Mike Assante back to testify. He has the necessary technical background, regulatory experience and the passion for control system security that will help Congress formulate the necessary legal framework for the regulation of industrial control system security in critical infrastructure applications.

No comments:

/* Use this with templates/template-twocol.html */