Friday, November 19, 2010

Symantec's W32.Stuxnet Dossier- Breakthrough v1.3, Nov 2010
Dutch Profibus expert provides crucial pieces to the puzzle

As of October, much had already been research and shared with critical infrastructure organizations around Stuxnet given the broader industrial control system, DCS, SCADA implications. As provided in the publicly available Symantec's research blog series and W32.Stuxnet Dossier white paper:
  • Stuxnet has been in play since at least 2009.
  • Specifically looks for Siemens PLC models S7-417 and S7-315-2, both widely deployed in the US.
  • PLC infection only occurs when the PLC contains the Profibus-DP communications processor
  • Windows 64-bit platforms not affected (32-bit targeted).
  • Malware package very sophisticated even with some sloppy controls (could’ve been more restricted and targeted, and stayed hidden longer).
  • The question of how to ensure the integrity of PLC code has not been addressed in detail.
Stuxnet raises the bar, serves as a road map even if not viewed as easy to repurpose by talented security researchers and hackers studying it. There has also been speculation that this type of malware may have been used to make several Iranian petrochemical facilities dramatically "go bang" in 2009.

On Nov 12th, Eric Chien's posting Stuxnet: A Breakthrough keyed in on important tips and insights provided by a Dutch Profibus expert that helps determine exactly the purpose for Stuxnet. Symantec's updated W32.Stuxnet Dossier v1.3 Nov 2010 white paper now more clearly describes how the malware targets and sabotages specific models of higher speed motor driving frequency converters over an extended time frame.

This additional insight underscores the need to increasingly manage similar potential "Advanced Persistent Threat" risks to critical infrastructure. Stuxnet's very clever payload is just one example of how similar hidden, targeted malware could pose a substantial threat to critical infrastructure even as this real world example has focused more on sabotaging systems akin to those used in uranium enrichment activities.


Sunday, July 4, 2010

Senate Committee Unanimously Passes Major Cybersecurity Bill
- Risk mitigation shifting to continuous monitoring and dynamic response

On June 24th, the Senate Homeland Security and Governmental Affairs Committee unanimously approved an amended 200 page version of a controversial The Protecting Cyberspace as a National Asset Act of 2010 cyber security bill which will move forward to the full Senate floor for consideration.

SANS Director Alan Paller’s related testimony (written – 17 pages, and discussed) at the June 15th Senate hearing: Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century (webcast) strongly emphasizes more effective risk management and less "paperchasing" as currently demanded by FISMA (with NIST standards and guidance mandatory). “When you demand that someone perform huge numbers of things, with limited budgets, you get dysfunctional results.”

The committee's bill includes a number of key elements, many of particular interest to critical infrastructure organizations:

  1. Creates an Office of Cyberspace Policy in the President's Executive Office to be ran by a Senate-confirmed Director. The Director will advise the President on all cybersecurity matters, harmonize federal efforts to secure cyberspace and will develop a national strategy that incorporates all elements of cyberspace policy, including military, law enforcement, intelligence, and diplomatic.
  2. Creates a National Center for Cybersecurity and Communications (NCCC) at the Department of Homeland Security (DHS) to be ran by the Director. This will elevate and strengthen the Department’s cyber security capabilities and authorities. The NCCC will include the United States Computer Emergency Response Team (US-CERT).
  3. Updates the Federal Information Security Management Act (FISMA) to modernize federal agencies practices of protecting their internal networks and systems. Reforms will allow agencies to move towards real-time monitoring to secure critical systems (and away from the system of after-the-fact paperwork compliance).
  4. Requires the NCCC to work with the private sector to establish risk-based security requirements that strengthen cyber security for the nation’s most critical infrastructure that, if disrupted, would result in a national or regional catastrophe.
  5. Requires critical infrastructure to report significant breaches to the NCCC to ensure the federal government has a complete picture of the security of these sensitive networks. The NCCC must share information, including threat analysis, with owners and operators regarding risks to their networks. The Act will provide specified liability protections to owners/operators that comply with the new risk-based security requirements.
  6. Creates a responsible framework, developed in coordination with the private sector, for the President to authorize emergency measures to protect the nation’s most critical infrastructure if a cyber vulnerability is being exploited or is about to be exploited. The President must notify Congress in advance before exercising these emergency powers. Any emergency measures imposed must be the least disruptive necessary to respond to the threat and will expire after 30 days unless the President extends them. The bill authorizes no new surveillance authorities and does not authorize the government to “take over” private networks.
  7. Develops a comprehensive supply chain risk management strategy to address risks and threats to information technology products and services the federal government relies upon. This strategy will allow agencies to make informed decisions when purchasing IT products and services.
  8. Requires the Office of Personnel Management to reform the way cyber security personnel are recruited, hired, and trained to ensure that the federal government has the talent necessary to lead the national cyber security effort and protect its own networks.
With respect to NERC Reliability Standards, including the cyber security focused CIPs, an extensive compliance paperchase remains underway in 2010 with both industry and regulatory bodies facing a substantial phase in of standards going through their first extensive audits. Much of the focus is based on the the language and intepretation of the Standards and associated Reliability Standard Audit Worksheets (RSAWS) - visit Resources at link. Even if this bill would become law today, it could be years before related expectations and improvements are signficantly reflected in the Standards.


- Lieberman, Collins, Carper Unveil Major Cybersecurity Bill to Modernize, Strengthen, and Coordinate Cyber Defenses (w/video ~10m) 6/10/2010
- Other recent hearings, such as before the House Appropriations Committee, also emphasizing key elements in the bill: DHS Cyber Security Programs – What progress has been made and what still needs to be improved? 4/15/2010

Wednesday, March 17, 2010

Cybersecurity: Utilities are Contested Territories - Fact or Hype?

SANS Director Allan Paller's recent EnergyBiz opinion piece Utilities are Contested Territories presents illuminating facts driving Advanced Persistent Threat (APT) cybersecurity concerns in utility settings.
  • The FBI reeled in 31 major utility executives for some forensic-grade calibration on how their systems have been unknowingly compromised over extended time frames.
  • The attacks, also affecting other areas of government and major businesses, are nation-state level in sophistication and persistence.
  • Weaponized email is the current preferred technique facilitating ongoing waves of attacks.
  • Key defenses were determined insufficient to prevent, detect, deter, and recover from the attacks.
The article goes on to assert that more advanced utilities have learned to treat their environments as though they do not have complete control of their systems as an underlying assumption. Many of these organizations are stated to have an unprecedented level of additional defensive measures now deployed to help manage APT risks (extensive encryption, access controls, monitoring, etc).

A preview, request-only SANS Webcast delving into this topic is scheduled ahead of upcoming 2010 SCADA and Process Control Summit (March 24th - April 1st).

Hurry if you're interested in catching this free, one-time, by request only webcast:

The Summit's optional workshops (provided by DHS, INL NERC) include a very interesting new full day offering:

Sunday, January 17, 2010

2010 Blasts in with Regulatory Cybersecurity Bar Raising
- NERC CIP-002-4 (Project 706 Ph II) and NRC RG 5.71- both with NIST Enhancements

Last updated 1/24/2010
As 2010 opens, beefed up regulatory scope and rigor around cybersecurity on both the Bulk Electric System (BES) and commercial Nuclear Power Plant (NPP) fronts are forming up- even as expanding regulatory scrutiny has been focusing on assessing the status of current requirements and programs.

Draft NERC CIP-002-4 Released. Now in Phase II, NERC Project 706 (to address FERC Order 706-A), released draft standard CIP-002-4, Cyber Security - BES Cyber System Categorization (16 pages, w/VSLs) in December for an informal comment period through February 12th. This version calls for significantly more extensive risk assessment process:
  • Substantially addresses concerns raised in Assante’s April 2009 letter – see Assante Throws Down the Gauntlet on CIP-002 -
  • Rather just focusing what to include, requires a complete inventory list of BES Cybersecurity systems for determinations to be made.
  • Getting NISTy (more) with graded BES impact assessment and commensurate controls- high, medium, low (catch all) impact ranking
  • Emphasizes functional assurance, not just security around functions.
  • Specific Violation Severity Levels (VSLs) penalties called for if mis-categorization is determined to have taken place.
  • NPP applicability- structures, components, equipment and systems of facilities within a nuclear generation plant not regulated by the U.S. Nuclear Regulatory Commission or the Canadian Nuclear Safety.
  • More- effective date is two years after approval (“eighth calendar quarter”), bottom up conservative approach with granular assessment/engineering evaluation expectations, various impact categorizations for assessment addressing inadvertent/adverse changes, example fishbone diagramming dependencies- see Draft Guidance Document (10 pages)

    Updated 1/24/2010
  • On Feb 3rd, 2010 at 1pm EST, NERC is scheduled to host a webinar "Proposed Revisions to CIP-002-4" (register)
NRC RG 5.71 Released. Following the November 23, 2009 deadline for NPPs to file required Cyber Security Plans for review and approval (per NRC Reg 10 CFR 73.54), the NRC released regulatory guide RG 5.71, Cyber Security Programs for Nuclear Facilities (copy, 100+ pages, including template/appendixes) earlier this month, source: NRC Regulatory Guides - Materials and Plant Protection (Division 5). This now public regulatory guide formally expands and supersedes prior NRC endorsed NEI 04-04 developed by the industry. Some argue it’s like going back to a blank piece of paper to stand up a new program – not entirely true but still very dense as regulatory guides go, and also getting more NIST aligned (more). Commercial nuclear has gone through a number of development steps over the last decade, see NEI Power Plant Security- Cybersecurity.

More perspective around RG 5.71 can be gained from reviewing NRC's Advisory Committee on Reactor Safeguards (ACRS) 567th Meeting- Nov2009 - Official Transcript (copy, - 330 pages, good place to start is page 98 for "cybersecurity", jump to page 275 for more specific RG 5.71 coverage). This guide is writen for the cybersecurity professional and covers aspects that others may miss when reading through it.

FERC Order 706-B - NRC/NERC MOU Released. FERC recognized a regulatory gap with Order 706B; the NRC, primarily focused on public safety and nuclear significant aspects of NPPs, does not have regulatory scope addressing continuity of power. FERC Order 706-B states that balance of plant systems at NPPs not regulated by the NRC must comply with NERC CIP Standards and requires NRC to make a compliance filing outlining implementation schedule. A NRC/NERC MOU released last week, establishes a working agreement consistent with FERC Order 706-B recommendations. FERC's Dec 17th filing expects additional compliance filing from NERC to more clearly address (i) how determinations of systems will be made that that fall under either program (NRC Cyber or NERC CIP), and (ii) establishing an exception process for exempting systems that fall under NRC Cyber from CIP compliance.

  1. Informal Comment Form: Project 2008-06 Cyber Security Order 706 CIP-002-4 (due 2/12/2010)
  2. NRC and NERC Execute Memorandum of Understanding Regarding Enforcement of Cyber Security Requirements- Morgan Lewis Energy Lawflash, January 12, 2010
  3. NRC Reg (10 CFR 73.54) Protection of digital computer and communication systems and networks.
  4. NIST on a roll with "Historic" Security Controls Guidance (SP 800-53 Rev 3)

Saturday, January 9, 2010

Security Challenges Into the Next Decade and Beyond
- A Leap Into the Future with Kurzweil, Suarez & Joy

Over the New Year's Holiday, I dusted off and finished pressing my way through a stunning, expansive view into the not so distant future with Ray Kurzweil’s tome The Singularity Is Near: When Humans Transcend Biology. In his richly cited work, huge advancements in renewable energy and storage efficiency, with microscopic fuel cells and other technologies, will capture abundant energy available for the taking in a distributed manner- intrinsically reducing unique security risks associated with centralized power stations.

Looking at accelerating trends continuing with information technology, Kurzweil argues that The Law of Accelerating Returns applies to many problems once sufficiently addressed with information technology based approaches. For example, rather than traditional experimental trial by error, exponentially improving computing environments are increasingly being used to effectively model and test medical treatments virtually. Expect significant life extension and expansion improvements over the next 20 years, as well as rapidly emerging non-biological intelligence fundamentally going beyond various narrow artificial intelligence applications widely used today. Related nanotechnology will drive expanding human intelligence and also result in new existential threats as we eventually transcend our biology- some heady prognostications.

If you haven’t read about or heard Ray Kurzweil in depth before, here’s an informative Dec 2008 Ray Kurzweil presentation from the 26th Army Science Conference The Impact of Accelerating IT on War and Peace - Dec 2008, video 54m) This talk was broader than the title implies, providing his updated views and supporting presentations slides (142 w/pdf, pptx formats) regarding IT driven advancements and unfolding implications.

Focusing on cyber security, non-biological computer infections or actions taken by malicious actors will increasingly be less just about compromising computers and more about harming the physical environment including humanity - who wants to let their bio or nano augmented substrate be chewed up and spit out as grey goo by rapidly replicating nano-nasties or otherwise adversely repurposed? So much promise and notable perils which many baby boomers may be able to witness if they stick around long enough. Kurzweil, turning 62 in Feb, is taking several hundred supplements daily and adhering to a strictly formulated diet- striving to bridge into his predicted, further life extended future bridges with continuing advancements in GNR (genetics, nanotechnology, and robotics).

From a more current perspective, the emerging best-seller “fiction” hit in 2009 Daemonby Daniel Suarez (audio clips at provides a present day look into what could go wrong with runaway non-biological intelligence. His first book, and just released sequel Freedom (TM) provides subtle and ruthless ways civilization could be systemically torn down by a cleverly designed artificial entity savvy in human behavior, reaching out from cyber space via online gaming and other methods, recruiting and exploiting human agents, etc. While entertaining and recommended reading, his informative, non-fiction presentation Daemon: Bot-Mediated Reality- The Long Now Foundation (video 1:20) emphasizes underlying themes with concerns about how humanity is increasingly facing the prospects of a Darwinian struggle with non-biological intelligence. He emphasizes key strategies and controls needed now to address the growing risk.

For more on concerns about the perils – here’s a provocatively titled article “Why the future doesn't need us.”- Bill Joy, Wired, April 2000 “Our most powerful 21st-century technologies — robotics, genetic engineering, and nanotech — are threatening to make humans an endangered species."


Saturday, January 2, 2010

Cyber Security Happy New Year 2010 - Perspective and Predictions

First Cut 1/2/2009 

2009 Perspective - hot stories and list of lists.
2010 and Beyond Predictions - more hot stories and list of lists. 

  • The Future of Threats and Threat Technologies: How the Landscape is Changing (24 p) TrendMicro, Dec 2009
    - No global outbreaks, but localized and targeted attacks.
    - It’s all about money, so cybercrime will not go away.
    - Windows 7 will have an impact since it is less secure than Vista in the default configuration.
    - Risk mitigation is not as viable an option anymore—even with alternative browsers/OSs
    - Malware is changing its shape—every few hours.
    - Drive-by infections are the norm—one Web visit is enoughto get infected.
    - New attack vectors will arise for virtualized/cloud environments.
    - Bots cannot be stopped anymore, and will be around forever.
    - Company/Social networks will continue to be shaken by data breaches.