Getting Your ICS/SCADA Components Security Tested

Posted on April 13, 2012 by Brent Huston

Recently, at the MEA Summit, I had the opportunity to engage in a great discussion with a number of SCADA owners about security testing of their devices. Given all of the big changes underway concerning SCADA equipment, connectivity and the greater focus on these systems by attackers; the crowd had a number of questions about how they could get their new components tested in a lab environment prior to production deployment.

Device and application testing is something that MicroSolved has done for more than a decade. We have tested hundreds of IT hardware products, commercial software loads, web/mobile applications, consumer products, and for the last several years, ICS/SCADA and Smart Grid components. Our lab environments are suitable for a wide variety of testing scenarios and are used by utility companies, manufacturers and software developers from around the world as a trusted source for rational security testing and relevant threat analysis. We have a firm non-disclosure policy for client systems tested and the relevant vulnerabilities discovered and we often work hand in hand with the developers/design engineers to work through both mitigation and/or compensating control development.

ICS/SCADA owners should have any new designs assessed prior to implementation, they should have some form of ongoing security assessment (analysis – NOT scanning…) performed against current deployments/threats, plus they should be engaged in testing all new hardware and software platforms before production adoption. Developers, designers and manufacturers of ICS/SCADA/Smart Grid components should be engaging in a full set of product assessments, attack surface analysis, threat modeling and penetration testing prior to the release of the products to market. This will be a value-add to your customers, and ultimately, to the consumer.

If your organization would like to have a device or software analysis performed, or would like to discuss how to engage with MicroSolved to have new equipment or ICS/SCADA deployment ideas modeled, tested and assessed, please contact us.

Presentations Given at Midwest Energy Association Summit

Posted on April 12, 2012 by Mary Rose Maguire

On April 11, 2012, both Phil Grimes and Brent Huston were honored to present on the ICS/SCADA security topics at the Spring Gas Operations Summit in Indianapolis held by the Midwest Energy Association (MEA).

Phil covered the process of scoping security assessments for ICS/SCADA deployments and spent a lot of time with the crowd analyzing various scenarios for how to pick an assessment partner, how often to perform vulnerability assessments, how to closely control and properly use penetration testing and a variety of other topics specific to the crowd’s concerns.

Brent followed that presentation with a talk focused on honeypots in ICS/SCADA. He covered the history of honeypots in ICS deployments, the NIST guidance for honeypots (“canaries”) and the relevant locations and approaches to gathering attack data with them. The crowd also asked great questions about how to use the data from the systems, how to work together to leverage honeypot data as an industry and how to manage data anonymity for detected events.

Further discussions followed, with the MSI team sitting in the crowd as a round table, which went really well. They had excellent conversations about the state of the threat, the reliance on public infrastructures, cellular communication threats, network enclaving, detection techniques and the safety of Internet exposed HMIs.

MSI would like to thank MEA for allowing us to come in and engage with their attendees. It was a very interesting show and we think everyone learned a lot about where ICS/SCADA security is going in the next 1-3 years.

Poll: An Opportunity to Tell Us Which Content You Like Most!

Posted on April 10, 2012 by Mary Rose Maguire

We always strive to bring you the best information security content, complete with thoughtful analysis and relevant resources. Would you take a few minutes to participate in our poll? We’d appreciate it because it will help us deliver the most useful content. Thank you!

Create your free online surveys with SurveyMonkey, the world’s leading questionnaire tool.

Don’t Forget About VoIP Exposures and PBX Hacking

Posted on April 6, 2012 by Brent Huston

I was browsing my usual data alerts for the day and ran into this set of data. It motivated me to write a quick blog post to remind folks that VoIP scans and probes are still going on out there in the wild.

These days, with all of the attention to mass compromises, infected web sites and stolen credit card data, voice systems can sometimes slip out of sight.

VoIP compromises and intrusions remain a threat. There are now a variety of tools, exploits and frameworks built for attacking VoIP installations and they are a target for both automated tools and manual hacking. Access to VoIP systems can provide a great platform for intelligence, recon, industrial espionage and traditional toll fraud.

While VoIP might be the state of the art for phone systems today, there are still plenty of traditional PBX, auto-attendant and dial-up voicemail systems around too. Now might be a good time to review when those systems were last reviewed, audited or pen-tested. Traditional toll fraud is still painful to manage and recover from, so it’s probably worth spending a few cycles on reviewing these devices and their security postures.

Let us know if your organization could use assistance with these items or with hardening voice systems, implementing detection techniques for them or otherwise increasing voice system security.

HoneyPoint and HITME Helps Clients Take Out Malware

Posted on April 5, 2012 by Brent Huston

I wanted to share some great feedback we received this week from a couple of sources. Both are regarding HoneyPoint — our product for creating a platform of nuance detection and visibility.

The first came from a critical infrastructure team. We notified them of an attack from their environment which was detected on the HITME (HoneyPoint Internet Threat Monitoring Environment). Using our alert, they quickly identified, investigated and isolated a specific machine that been infected with a piece of malware and was now scanning the Internet for other potential victims. They thanked us for the notification and said they truly appreciated our efforts and the work of the HITME team to help protect US critical infrastructures.

The second bit of feedback came from a long-time user of HoneyPoint Wasp, who suddenly began to see a piece of code propagate across a few machines in their workstation space. The code was rapidly identified as a piece of malware that had successfully evaded their anti-virus, but triggered the Wasp white list detection mechanism. Their team traced the infection back to a single USB key, which they impounded and sanitized. Thankfully, they found this infection before it was able to be leveraged by an attacker against them. They were very supportive of HoneyPoint and thanked us for assisting them in their investigation and for teaching them how to use Wasp through our installation services.

Together, these represent just a couple of the stories where HoneyPoint has helped security teams. Some of the people who receive the benefit of our work are not even users of the product or MicroSolved clients at all. It’s just another way that we engage every single day to help make a difference in the security and safety of peoples’ lives.

At MSI, we don’t just make great tools and perform great services, we have spent the last 20 years working hard to help people with information security. It continues to be both our pleasure and our passion.

Thanks for reading!

Three Sources to Help You Understand Cybercrime

Posted on April 3, 2012 by Brent Huston

Cybercrime is a growing threat. I thought I would take a few moments and point you to three recent news articles that discuss U.S. Government views on just how information security is proceeding, how we are doing, and how we should think about the future of infosec. They are all three interesting points of view and represent a wide variety of data seen at high levels:

FBI Director Mueller on cybercrime (RSA Conference, March 2012)

Perspectives on intellectual property theft

How the U.S. is outgunned in cyber-defense

These three links are interesting perspectives on how infosec is changing from a focus on compliance and prevention techniques to fully embracing the need for cross-platform, security-focused initiatives. In addition, more emphasis is on threats and risk while balancing prevention, detection capability, and effective responses when things go wrong.

Long term, this change is an important one if we are to protect ourselves and the data of our customers in the future. Cybercrime won’t go away, but if we can approach security with proactive strategies, we may minimize its effectiveness.

MSI Strategy & Tactics Talk Ep. 27: The 2012 Verizon Data Breach Investigations Report

Posted on March 30, 2012 by Mary Rose Maguire

The 2012 Verizon Data Breach Investigations Report is out! In this episode of MSI Strategy & Tactics, Adam, Phil, and John discuss the newest report’s discoveries and some of the more interesting discoveries. Discussion questions include:

1. What was the most surprising finding?
2. What is different from the past, any trends?

Listen in and let us know what you think!

Resource:

The Verizon Data Breach Investigations Report

Panelists:

Adam Hostetler, Network Engineer, Security Analyst

Phil Grimes, Security Analyst

John Davis, Risk Management Engineer

Mary Rose Maguire, Marketing Communication Specialist and moderator

Click the embedded player to listen. Or click this link to access downloads. Stay safe!

Mobile Apps Shouldn’t Roll Their Own Security

Posted on March 29, 2012 by Brent Huston

An interesting problem is occurring in the mobile development space. Many of the applications being designed are being done so by scrappy, product oriented developers. This is not a bad thing for innovation (in fact just the opposite), but it can be a bad thing for safety, privacy and security.

Right now, we are hearing from several cross platform mobile developers that the API sets across iOS, Android and others are so complex, that they are often skipping some of the APIs and rolling their own code methods for doing some of this work. For example, take crypto from a set of data on the device. In many cases, rather than using standard peer-reviewed routines and leveraging the strength of the OS and its controls, they are saying the job is too complex for them to manage across platforms so they’ll embed their own code routines for doing what they feel is basic in-app crypto.

Problems (like those with the password vault applications), are likely to emerge from this approach toward mobile apps. There is a reason crypto controls require peer review. They are difficult and often complex mechanisms where mistakes in the logic or data flows can have huge impacts on the security of the data. We learned these lessons long ago. Home-rolled crypto and other common security routines were a big problem in the desktop days and still remain so for many web applications, as well. Sadly, it looks like we might be learning those lessons again at the mobile application development layer as well.

Basically, the bottom line is this; if you are coding a mobile application, or buying one to access critical data for your organization, make sure the developers use the API code for privacy, trust and security functions. Stay away from mobile apps where “roll your own/proprietary security code” is in use. The likelihood of getting it right is a LOT less than using the APIs, methods and code that the mobile OS vendors have made accessible. It’s likely that the OS vendors are using peer-reviewed, strongly tested code. Sadly, we can’t say that for all of the mobile app developer code we have seen.

As always, thanks for reading and stay safe out there!

Disagreement on Password Vault Software Findings

Posted on March 26, 2012 by Brent Huston

Recently, some researchers have been working on comparing password vault software products and have justifiably found some issues. However, many of the vendors are quickly moving to remediate the identified issues, many of which were simply improper use of proprietary cryptography schemes.

I agree that proprietary crypto is a bad thing, but I find fault with articles such as this one where the researchers suggest that using the built in iOS functions are safer than using a password vault tool.

Regardless of OS, platform or device, I fail to see how depending on simple OS embedded tools versus OS embedded tools, plus the additional layers of whatever mechanisms a password vault adds, reduces risk to the user. It would seem that the additional layers of control (regardless of their specific vulnerability to nuanced attacks against each control surface), would still add overall security for the user and complexity for the attacker to manage in a compromise.

I would love to see a model on this scenario where the additional controls reduce the overall security of the data. I could be wrong (it happens), but in the models I have run, they all point to the idea that even a flawed password vault wrapped in the OS controls are stronger and safer than the bare OS controls alone.

In the meantime, while the vendors work on patching their password vaults and embracing common crypto mechanisms, I’ll continue to use my password vault as is, wrapped in the additional layers of OS controls and added detection mechanisms my systems enjoy. I would suggest you and your organization’s users continue to do the same.

Information Security Is More Than Prevention

Posted on March 23, 2012 by Brent Huston

One of the biggest signs that an organization’s information security program is immature is when they have an obsessive focus on prevention and they equate it specifically with security.

The big signs of this issue are knee-jerk reactions to vulnerabilities, a never-ending set of emergency patching situations and continual fire-fighting mode of reactions to “incidents”. The security team (or usually the IT team) is overworked, under-communicates, is highly stressed, and lacks both resources and tools to adequately mature the process. Rarely does the security folks actually LIKE this environment, since it feeds their inner super hero complex.

However, time and time again, organizations that balance prevention efforts with rational detection and practiced, effective response programs perform better against today’s threats. Evidence from vendor reports like Verizon DBIR/Ponemon, law enforcement data, DHS studies, etc. have all supported that balanced program work much better. The current state of the threat easily demonstrates that you can’t prevent everything. Accidents and incidents do happen.

When bad things do come knocking, no matter how much you have patched and scanned, it’s the preparation you have done that matters. It’s whether or not you have additional controls like enclaving in place. Do you have visibility at various layers for detection in depth? Does your team know how to investigate, isolate and mitigate the threats? Will they do so in a timely manner that reduces the impact of the attacker or will they panic, knee-jerk their way through the process, often stumbling and leaving behind footholds of the attacker?

How you perform in the future is largely up to you and your team. Raise your vision, embrace a balanced approach to security and step back from fighting fires. It’s a much nicer view from here.

MSI :: State of Security

Insight from the Information Security Experts