Dan MaloneyOK, let's get going. Welcome, one and all, and thanks for coming out today. I'm Dan and I'll be moderating today with Dusan as usual as we welcome Eireann Leverett to the Hack Chat to talk about SCADA Security. I've really been looking forward to this as infrastructure security has been much on my mind lately.
Hello everyone!
Great workshop on ransomware hosted by NIST and NCCoE today - just ended; https://www.nccoe.nist.gov/events/virtual-workshop-preventing-and-recovering-ransomware-and-other-destructive-cyber-events
Welcome Eireann, and please accept my apologies in advance for any fat-finger mistakes on your name
It's not an easy type is it?
So many vowels...
Can you start us off with a brief intro?
Fun fact; Eireann is Irish for Irish.
And diacriticals....
indeed, though I never complain if people leave the fada out.
(the accent)
I know, I feel bad for not including those. But keeping up with the letters is tough enough for my fingers as it is.
RE: Dan Maloney
1:55 PM
Hey @JImmyMoe - doesn't ring a bell right off, but I know we've covered a ton of projects like that. I'll see if I can dig something up...
Thanks you so much Dan! I would so appreciate it.
Murph
So brief intro: I have been doing security since about 2005, with some enthusiasm for phones before. I think I got an early insight into SCADA or ICS security because I grew up for a time in Ohio.
My grandparents owned a farm, and I spent summers there. There were many stories of burning rivers from industrial pollutiion.
"The River Caught Fire": The Cuyahoga River Fire of 1969
A series of articles exploring historical events that provide an important lesson for ensuring a more sustainable and healthy environment. Originally published as a bulletin feature for the newsletter of CHE-WA (Collaborative on Health and the Environment, Washington State chapter); produced by Steven G. Gilbert. Oil spills and oil fires are nothing new.
Read this on Healthandenvironment
They even named a beer after it as I got older: Burning river pale ale.
Good evening all
Yeah, it wasn't a good period
So my point is, at a very young age I had a sense that industrial systems could have big impacts.
Hello all
Hola amigos
Like most people in my twenties I didn't know what I wanted to do. Eventually, after trying many jobs, i ended up studying AI and Software Engineering in Scotland. From there I worked for GE Energy on software that controled distribution grids. Mostly Energy, but some water too.
That was my introduction to SCADA, and then I started doing vuln management and secure coding team building for them with my main hard hat hacker Colin Cassidy.
are you still in electric ?
No. Or rather not directly.
From there I ended up going to Cambridge, and then penetration testing at IOActive.
where does that sound familiar ioactive
I returned to Cambridge to work on risk after 3 1/2 years of globetrotting with IOA. Colin is still with them, after leaving GE.
At the time, it was hard to be a scada security person. IOActive had some of the finest, mostly ex Idao National Labs.
Do you think full separation of environments (OT vs IT) can increase resillience against APT threats? (My answer would be No 8-) )
Woo-hoo, Idaho!
well dividing the evironments does make it somewhat more resilliant
Back in the good ole days
After pentester burnout I moved into risk to critical national infrastructure and general cyber risk at the Cambridge Centre for Risk Studies.
Sup Ronnie!
=) long time no talk sir!
Congratulations on your seed!
whew thanks! now all that's left is to execute
Plenty of opportunity still in OT security as everyone can probably tell
I still spend a little time at CCRS, but most of my time is spent in cyber insurance mathematics.
I'l leave it there less I bore everyone.
:D
:lol
I heard today the cyber insurers are bleeding badly - is it true?
So that's me in a nutshell, a bit hacker, a bit engineer and safety, a bit maths and probability.
Help me out: OT vs IT?
Sure, a classic divide.
It's basically work culture OT is operational technology and IT is well, eveyone knows that...the point being...
2 totally different worlds
OT - Operational Tech. (All the ICS, Scada and IoT world) to separate from “office IT world”
In IT you are change fast, and in OT you want hardcore change management and safety checks.
@toet exactly
Any opinions on SBOM to share?
So IT wants to patch everything as fast as possible and OT wants to avoid change until it's really well verified.
But remarkably similar hardware and software? (Just different purposes)
Ok, but aren't we really talking about Enterprise Security?
Ah, operational. So, networks for the factory floor vs. "carpetland". Gotcha
Sure, and my experience is we can get them to work together, when they understand each other.
exactly that
@Dick Brooks I can get there a little closer to the end. I'm a fan though. My thought is really how much more can we use it for.
and that usually is a dayjob on its own
True, but a lot of security is culture change. make them eat and drink together in each other's teams.
@eireann.leverett happy to have that conversation
There is a bit of this in my hobby (LinuxCNC) where we still support Ubuntu 10.04, because our users have working machines and don't want to risk that.
My mother says "People don't know what they ain't been through."
And sometimes, like with energy grids, the factory floor is basically as big as a continent
Anyone Else Going to Tonights 920SEC meeting here in Green Bay Wi. ?
So make 'em go through it and they suddenly have more capacity to understand each other.
During Y2K I tracked the global status, then was hired to review the US Joint Chiefs' planning scenarios. Y2K required all systems to be checked. Is this that serious?
Pain is a wonderful educator.
If you don't mind, I want to make another general point.
please
Infrastructure is like feet. You don't think about them or care for them until they stop working.
@JImmyMoe Yes we are. But these worlds are so different…. To apply ptch for vuln (like sudo fix from late 2019) means to update 200k devices across company and distributed geographically in OT -> guess how many could be updated? (Hope you guess pess than 10% :lol). That’s what OT world will struggle for years
Hi Eireann, would you be able to provide some ideas on what the most difficult SCADA, ICS, OT security challenges currently are? Is it securing the devices themselves from physical and external remote attacks? Segregating the "SCADA" network from other areas of the organization? or something else entirely....
@eireann.leverett epic truth :)
my side its mostly segregation
ruling out the flat network
Great question, but also depends on how you like your difficulty served. Network Segmentation is really hard say cultorally and organisationally.
and creating test enviroments (sort of digital twins)
Securing applications is tough because we philosophically silo'd safety.
So safety says we must X and security says we must Y and they don't integrate their thinking.
Lots of legacy related risks in operations too.
Much like OT and IT.
Indeed, risk management is about prioritising yourself on the risk register.
@RichardCollins At 90’s there were 20 desktops in the company but now you have apmost alm stuff equiped with laptop or smartphone and almost every PLC runs its own OS with shit load of vulnerabilities
dont touch a working environment :D
Guess what, most security folks didn't get into computers to do the economics of DDoS versus llightning storms.
So we have trouble beating weather for risk prioritisaion. :D
@toet lol exactly
I also think protocols is REALLY hard.
I don't think the biggest issue with SCADA security is what needs to be done. Its how do you get anyone to enforce best / any security practices. I'll leave out small municipalities because they are smaller targets. My experience with industrial scada installations is that unless forced, they won't upgrade a thing until its on fire. It's hard to even blame them. They drop 100,000 to millions on a setup that gives no upgrades unless they drop a bunch more.
I used to have to keep 36 Computers in our 3 Classrooms for Architects and Engineers 3DS Max Training. I found it easier to keep up if I scheduled each of the 3 groups on a regular basis and or after each class had come to the end of their cycled training. Can't remember exactly what I had but it was something like 3 computers every other day which kept me sane! I was a One Man Show.
from both a security and safety design POV, but also adoption.
And I guess we can't always tie Y (what security says) back to a safety issue, to help emphasize the importance... though outages and potential destruction of the equipment are a huge problem, not seeming very likely.. gets back to how difficult it is to quantify cyber risk
Getting bad in the western US, water rationing, soon people will have to decide how to use the precious water that is available: people, plants, electricity or fire fighting - not good
@Bill S Completely fair, and we could talk security economics and regulation approaches across the globe.
security implementation (what i experienced) needs a mandate from the plant operator he needs to push it
FYI, I'll post a transcript of the chat right after we're done, in case anyone needs to refer back to links, etc.
(plant operator) i mean ceo
CEOs usually work in the "there is no glory in prevention" mode
I hope people don't mind if i bombard the chat with some links and books.
yes please
Bombs away!
On that regulation point, we wrote this for the European Union: https://www.conpolicy.de/en/news-detail/standardization-and-certification-of-the-internet-of-things/
What’s you opinion on connecting OT devices directly to internet? (Take a look at shodan for high number of PLCs’ dorectly connected to internet)
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.