SANS SCADA Summit at Orlando - Bigger problems and so far from getting them solved
Last Updated: 2013-02-20 21:50:05 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
7 days ago finished the eight version of the SANS SCADA Summit at Orlando. Conferences were really great and it was a great opportunity to see that I am not the only CISO that is having trouble developing and implementing an information security program to the ICS world of the company. The most important conclusions obtained back there are:
- Operators and professionals from the industrial world does only care about the process: they want it efficient, reliable, available all the time and simple. When we, the security people, try to implement some control measures to avoid risks from being materialized, we need to preservate all those attributes to the process. Let's keep in mind that if we cannot improve the ICS process with our controls, the business won't let us do anything and they prefer to suffer the risk materializing than let us try to avoid them.
-
Compliance is a consequence of implementing a good security program. Choose a good framework to implement and begin working. Examples of such frameworks are:
- NERC CIP
- ISA (Industrial Automation and Control Systems Security) 99 IEC 62443
- 20 Critical security controls
- NIST GUIDE to SCADA and Control Security
- CFATS (Chemical Facility anti terrorism standards)
- As you definitely need to avoid increasing the complexity on the SCADA System operation, you cannot allow irregular acess to your operators to resources outside the Industrial Control System (ICS) network. That means not allowing to read e-mail and not accessing the Internet from the same computer where a Human to Machine Interface (HMI) is installed. They can always use other computers that have access to the IT world.
- As I stated, the ICS guys only cares about their process and tent to disregard anything that might cause problems or make them feel they are doing their work in a slow way. Therefore, a strong awareness campain is needed pointing to strong motivations like cyberterrorism and materialized risks to the SCADA and ICS systems.
- Firewalls are good but not enough to protect risks from SCADA and ICS systems. You need to add other controls like SCADA application whitelisting, Host Intrusion Prevention Systems, Network Intrusion Prevention Systems and patch management.
- Patch unpatched vulnerabilities of your SCADA and ICS systems. If fore some reason the product cannot be patched, take any other approach to lower the risk to the minimum possible value.
- Include the ICS environment to your information security risk matrix. You need to start including it inside your controls. Otherwise, information security risks will become unmanageable to your SCADA/ICS.
SCADA/ICS systems manages critical infrastructure and could be a target addressed by any irregular and ilegal group. For all us who work to companies where SCADA/ICS systems are vital to business, it will become the most important information asset to protect, as it could be used to destroy all the assets used to ensure company's future money.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
Update Palooza
UPDATE 2
Adobe Acrobat Reader 11.0.02 was published today as a fix for CVE-2013-0640 and CVE-2013-0641. More information at http://www.adobe.com/support/security/bulletins/apsb13-07.html.
Wireshark 1.9.0 was published today. It's an experimental release for testing new features for the upcoming 1.10 version.
UPDATE
More updates arrived:
- Thunderbird 17.03 arrived yesterday. It fixes 8 security vulnerabilities.
- Apple released yesterday iOS 6.1.2, which can be downloaded fast as it is small (12.8 MB). So far, this update seems to be only related with a bug on echange calendars that increases network utilization causing battery drain. Better to have last version installed as apple does not always list in a detailed way all the fixes contained in an operating system update.
Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter:@manuelsantander
Web:http://manuel.santander.name
e-mail: msantand at isc dot sans dot org
=========== ORIGINAL DIARY BY JOHANNES ULLRICH ===========
If you are easily confused like me, you may appreciate this quick summary as to the different updates released the last couple of days:
Oracle Java:
- Java 7 Update 15
- Java 6 Update 41
Mozilla
Firefox 19
Apple
(in addition to Apple's Java update to the versions shown above)
iTunes 11.0.2.25
Adobe
- Flash Player Windows 7 and earlier 11.6.602.168 (Windows 8 and OS X is still use 167)
- Acrobat/Reader 11.0.02 (went live on Adobe's FTP server Wed. 20th morning)
Probably the most dangerous thing you can do when applying patches is to rush. You may not only end up with a broken system, but worse, the patch may not be applied correctly. Take the time to test that you are all up to date. Encourage your coworkers and relatives to visit browsercheck.qualys.com to test if all plugins are installed correctly.
(we may update this diary for a day or two)
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago