Dan Maloney
@primetimber Ture, Then when everything goes to hell, the board gets a new CEO who says that last guy was the worst and continues to do nothing. Think VW
Where do you tend to see more security vulnerabilities - insecure devices, poor configuration/management, or both?
It covers a crazy history of electrical systems, automotive safety, and medical safety.
Would the benefits of airgapping outway the ease of maintenance and datatransfare? Or is it not possible for infrastructure to work like an island?
Then goes on to regulatory and certification approaches.
On the airgapping debate, Ronnie knows where I stand :D
Though I guess it's worth repeating....
Thx
Always good to airgap but typically, hardly practical?
Airgaps are mostly myths in practice. They seem easy to maintain and they're not. For example, how are you going to check any SSL/TLS certifitcate in an airgap?
They are very very dangerous to the mind...too.
How so?
also, how would you get status accross an airgap?
People get a false sense of security, I've seen that before
CRL verification would be challenging
Largely my "coming of age" story in this industry was older engineers telling me we didn't need software security practices because it was all airgapped.
From the security perspective (aside from regulations and certifications), what are your thoughts about using cheap SBCs instead of high priced VPN routers (+ even more expensive "access servers") to connect dislocated PLCs to a central SCADA?
As far as I saw, those "premium" devices mostly use OpenVPN which is a breeze to configure today (with a bit of fiddling with iptables).
So does it make sense to pay for those industrial routers today?
Then came 802.11
What happens is that you do just 1 connection to the air gap with a network device that never gets updates or is ever looked at again
I knew it wasn't true, and those airgaps were becoming an impediment to real improvements and innovations.
So I set out to prove people wrong in 2010.#
https://cyberics.github.io/News/news.html keeps track on what new vulnerabilties have been released
https://www.cl.cam.ac.uk/~fms27/papers/2011-Leverett-industrial.pdf
This is the result of that effort.
I was kind of an angry hacker back then :D
Is the document safe :p
Imho - 100% airgap is not possible these days. But -> connecting OT to internet having sensitive devices accesible from anywhere…. That’s bad idea :) Anyway - airgap means can be achieved but it costs extra money (nuclear powerplants do have airgapped systems)
Absolutely. The reaon it's a bad idea is because the vendors thought it was THE idea.
An airgap for most people is no ethernet
i'm afraid you still need to get data on and off the system. Ladder logic needs loaded on the PLCs somehow.
What about tools like this one? https://firmwareiq.net/
Today, they push software updates to jet fighters in flight, turns out air is a pretty good medium for communications.
So I prefer people do better checking on inputs and outputs. Don't get me wrong if your airgap really is part of defense in depth cool...but if it's your only defence....I get cranky.
even when I think a system is air-gapped, a technician decides to connect (say) our cooling water vendor to the SCADA network, which has a 4G connection to their engineers in another country.
Firmeware verification is hot, and i like many companies doing it. Adolus is one of my favourites, but maybe just because Eric Byres inspired me with his myths and facts paper.
@eireann.leverett yes, data exchange is very important nowadays, getting real time telemetry etc.. Systems needs to be segregated as much as it ia possible… yes, a bit more complex for operation. But we have to consider:
what are other good defenses? I saw a bunch of allen bradley plc's in the picture for this chat. In my experience, they don't care much about security
Someone mentioned Shodan, and I think at the EMF talk you listed a few places that _you_ had got in to with the help of Shodan?
reliability, security and safety :)
Yeah, I see the false sense of security, I think I only know one customer in Infrastructure who has a total airgap. The software is old & adapting the software is a hassle.
How do Unidirectional Gateways fair in this picture?
They could work well, but we needs some co-evolution with protocols to work well with them.
Now, more generally, let's talk some books and success stories.
http://industrial-landscape.com/#/home
INDUSTRIAL-LANDSCAPE
BRIAN HAYES
Infrastructure: A Guide to the Industrial Landscape
Welcome to the world we've made for ourselves! Natural gas pumping station and storage tanks beneath the buttes of Red Rock State Park, near Gallup, New Mexico. A "trickling filter" at a sewage-treatment plant in Henderson, North Carolina. Making Sense of It All The ExxonMobil refinery at Chalmette, Louisiana, photographed from a ferry crossing the Mississippi.
Read this on Industrial-landscape
Eric/aDolus is one of the C-SCRM vendors that filed with FERC in support of SBOM's: https://elibrary.ferc.gov/eLibrary/filelist?document_id=14927761&optimized=false
I loved this one...not security minded, but such a great how things work book.
One chapter was about agriculture.
Oh, man -- you really gave me book-envy when you suggested that book...
100 years ago 99% of people would have been farmers. Today it's about 1%. How did that happen?
Automation
Can we do the same with other things, and then once we have, how do we secure it?
We are lazy.
Lol, best mathematician is a lazy one?
Concrete factories are cool too....
they are truly distrubuted infrastructure primarily because of how quickly concrete sets
No sir, I mean naturally, human being is lazy so thinks how to improve things 8-)
https://verveindustrial.com/resources/ics-advisory-report-thank-you/
ICS Advisory Report - Verve Industrial
Verve's mission is to help industrial clients ensure the security and reliability of their most critical assets: their industrial control systems. Verve Industrial brings over 25 years of ICS/OT experience or what is possible to bridge the IT OT challenges of securing these environments.
https://www.amazon.co.uk/s?k=the+knowledge
Amazon.co.uk : the knowledge
Select Your Cookie Preferences We use cookies and similar tools that are necessary to enable you to make purchases, to enhance your shopping experience, and provide our services, as detailed in our Cookie Notice. We also use these cookies to understand how customers use our services (for example, by measuring site visits) so we can make improvements.
(Sorry for typos, english is not my natural language)
This one is fun too
No worries
It has one chapter on a guy who built a toaster from scratch
mined the copper, moulded the plastic, wired the cable everything
Thx for posting these articles :) will read it indeed
My own book isn't muhc of a security book, it's more a risk and quantiative approach, but I wrote a chapter I'm proud of on vulnerabilities generally: https://www.google.co.uk/books/edition/Solving_Cyber_Risk/xn91DwAAQBAJ?hl=en&gbpv=1&pg=PA103&printsec=frontcover
I do recommend Jake's book for SCADA security especially
https://blackwells.co.uk/bookshop/product/9781498717076?gC=5a105e8b
Blocked IP Address due to Suspicious Activity
blackwell.online@blackwell.co.uk and provide the following information:The information you provide will be used to further our investigation. All attempts will be made to restore your access as quickly as possible. You are also advised to contact your service provider or IT Admin to report this issue. We apologise for any inconvenience this has caused.
Though there are many others too.
LOL blocked IP address
Irony
Huh
I think all security people in OT should read safety books like Erik's https://erikhollnagel.com/ideas/safety-i%20and%20safety-ii.html
Regarding the toaster…. Friend of mine is attempting to build smartphone (although he is not going to mine gold and silicon 🤣🤣🤣)
I have many more links and things to share, but I'll go back to questions for a bit :)
https://www.plcacademy.com/ladder-logic-tutorial/
PLC Ladder Logic Programming Tutorial (Basics) | PLC Academy
One of the best visual programming languages is a PLC programming language called ladder logic or ladder diagram (LD). The great thing about ladder logic is that it's much more visual than most programming languages, so people often find it a lot easier to learn.
Ok, a little ladder logic tutorial wouldn't hurt :)
@eireann.leverett do you think with "average" SCADA setups (in terms of focus on security) there is a common lack of focus on anything in particular? In other words, if you had to pick a thing or two, what do you think is the most typical low-hanging fruit of SCADA network security improvements?
👍
@Lord3nvy Switches and network equipment, and network monitoring.
Secure your networking infrastructure first.
http://oscada.org/ if you want to build a custom scada overview, its old but still works
Do you see more vulnerabilities because of poor configuration/management or in devices (such as PLCs) themselves?
One really interesting thing about realtime networks: to MITM often requires an attacker to operate under the real time constraints of the system itself.
that's a brilliant constraint that defenders can use to their advantage
Good point
here's my talk on industrial ethernet switch security:
A bit of the offense side, but plenty of lessons for defender from firmware management and verification, to default credentials, to switch hardening
Very cool - thank you! Network monitoring makes a lot of sense - I think it has a tendency to get pigeonholed into the "IT" world and sometimes doesn't get communicated to the boots on the ground, so to speak, when anomalies happen.
So much of SCADA is protocols that work really well, but assume only trusted people have access, so focus on rejecting attacker access, and thus switches first, plcs, rtus, other equipment next, logging, and network monitoring.
one other thing....OT/SCADA has engineers as standard employees. Literate, numerate, people. Ok, Numerate people. But seriously, they care about the system more than other users, and they think critically as engineers...we need to leverage that and not deride them as homers.
Care to elaborate on the 'leverage' part?
Name another environment where you can count on standard people within the org to have STEM degrees? If we can't explain security to them, we're communicating risk badly.
@DM do mean leveraging the employees? Like how do we do it?
Expand a little and I'll try to answer.
Yes, you mentioned that engineers are critical thinkers and that we should leverage this. How best do we do this practically?
Random link to one of my fave papers on CNI analysis
https://ieeexplore.ieee.org/document/969131
Identifying, understanding, and analyzing critical infrastructure interdependencies
The notion that our nation's critical infrastructures are highly interconnected and mutually dependent in complex ways, both physically and through a host of information and communications technologies (so-called "cyberbased systems"), is more than an abstract, theoretical concept.
Regarding anomalies - does it make sense to focus on anomies down to protocol level (.101 or .104) or focus a bit more to hardening peers? I mean to create who is allowed to communicate and who’s not to each other, and just alert when anomaly happens?
Discussions
Become a Hackaday.io Member
Create an account to leave a comment. Already have an account? Log In.