Close

Hack Chat Transcript, Part 1

A event log for SCADA Security Hack Chat

There's a lot of infrastructure out there

dan-maloneyDan Maloney 07/14/2021 at 20:270 Comments

Dan Maloney12:00 PM
OK, let's get going. Welcome, one and all, and thanks for coming out today. I'm Dan and I'll be moderating today with Dusan as usual as we welcome Eireann Leverett to the Hack Chat to talk about SCADA Security. I've really been looking forward to this as infrastructure security has been much on my mind lately.

Lord3nvy joined  the room.12:00 PM

khannon joined  the room.12:00 PM

Dusan Petrovic12:00 PM
Hello everyone!

Jason Kirkpatrick joined  the room.12:01 PM

Dick Brooks12:01 PM
Great workshop on ransomware hosted by NIST and NCCoE today - just ended; https://www.nccoe.nist.gov/events/virtual-workshop-preventing-and-recovering-ransomware-and-other-destructive-cyber-events

Dan Maloney12:01 PM
Welcome Eireann, and please accept my apologies in advance for any fat-finger mistakes on your name

Dale Hoyum joined  the room.12:01 PM

eireann.leverett12:01 PM
It's not an easy type is it?

Dan Maloney12:02 PM
So many vowels...

Can you start us off with a brief intro?

eireann.leverett12:02 PM
Fun fact; Eireann is Irish for Irish.

andypugh12:02 PM
And diacriticals....

eireann.leverett12:02 PM
indeed, though I never complain if people leave the fada out.

eireann.leverett12:02 PM
(the accent)

Dan Maloney12:02 PM
I know, I feel bad for not including those. But keeping up with the letters is tough enough for my fingers as it is.

Nathan joined  the room.12:03 PM

JImmyMoe12:03 PM
RE: Dan Maloney

1:55 PM

Hey @JImmyMoe - doesn't ring a bell right off, but I know we've covered a ton of projects like that. I'll see if I can dig something up...

Thanks you so much Dan! I would so appreciate it.

Murph

Ron Fabela joined  the room.12:03 PM

eireann.leverett12:03 PM
So brief intro: I have been doing security since about 2005, with some enthusiasm for phones before. I think I got an early insight into SCADA or ICS security because I grew up for a time in Ohio.

Mr.K. joined  the room.12:04 PM

eireann.leverett12:04 PM
My grandparents owned a farm, and I spent summers there. There were many stories of burning rivers from industrial pollutiion.

eireann.leverett12:04 PM

https://www.healthandenvironment.org/environmental-health/social-context/history/the-cuyahoga-river-fire-of-1969#:~:text=On%20June%2022%2C%201969%2C%20an,had%20caught%20fire%20since%201868.

HEALTHANDENVIRONMENT

"The River Caught Fire": The Cuyahoga River Fire of 1969

A series of articles exploring historical events that provide an important lesson for ensuring a more sustainable and healthy environment. Originally published as a bulletin feature for the newsletter of CHE-WA (Collaborative on Health and the Environment, Washington State chapter); produced by Steven G. Gilbert. Oil spills and oil fires are nothing new.

Read this on Healthandenvironment

eireann.leverett12:05 PM
They even named a beer after it as I got older: Burning river pale ale.

toet joined  the room.12:05 PM

Levi joined  the room.12:05 PM

toet12:05 PM
Good evening all

Dan Maloney12:05 PM
Yeah, it wasn't a good period

eireann.leverett12:05 PM
So my point is, at a very young age I had a sense that industrial systems could have big impacts.

adamskhan joined  the room.12:06 PM

Bill S12:06 PM
Hello all

Levi12:06 PM
Hola amigos

eireann.leverett12:06 PM
Like most people in my twenties I didn't know what I wanted to do. Eventually, after trying many jobs, i ended up studying AI and Software Engineering in Scotland. From there I worked for GE Energy on software that controled distribution grids. Mostly Energy, but some water too.

eireann.leverett12:07 PM
That was my introduction to SCADA, and then I started doing vuln management and secure coding team building for them with my main hard hat hacker Colin Cassidy.

toet12:08 PM
are you still in electric ?

eireann.leverett12:08 PM
No. Or rather not directly.

eireann.leverett12:09 PM
From there I ended up going to Cambridge, and then penetration testing at IOActive.

toet12:09 PM
where does that sound familiar ioactive

eireann.leverett12:10 PM
I returned to Cambridge to work on risk after 3 1/2 years of globetrotting with IOA. Colin is still with them, after leaving GE.

eireann.leverett12:10 PM
At the time, it was hard to be a scada security person. IOActive had some of the finest, mostly ex Idao National Labs.

Galactic creature 4212:10 PM
Do you think full separation of environments (OT vs IT) can increase resillience against APT threats? (My answer would be No 8-) )

Dan Maloney12:11 PM
Woo-hoo, Idaho!

toet12:11 PM
well dividing the evironments does make it somewhat more resilliant

Ron Fabela12:11 PM
Back in the good ole days

eireann.leverett12:11 PM
After pentester burnout I moved into risk to critical national infrastructure and general cyber risk at the Cambridge Centre for Risk Studies.

eireann.leverett12:11 PM
Sup Ronnie!

Ron Fabela12:11 PM
=) long time no talk sir!

eireann.leverett12:11 PM
Congratulations on your seed!

Ron Fabela12:12 PM
whew thanks! now all that's left is to execute

Ron Fabela12:12 PM
Plenty of opportunity still in OT security as everyone can probably tell

eireann.leverett12:12 PM
I still spend a little time at CCRS, but most of my time is spent in cyber insurance mathematics.

eireann.leverett12:12 PM
I'l leave it there less I bore everyone.

eireann.leverett12:12 PM
:D

Galactic creature 4212:12 PM
:lol

Dick Brooks12:13 PM
I heard today the cyber insurers are bleeding badly - is it true?

eireann.leverett12:13 PM
So that's me in a nutshell, a bit hacker, a bit engineer and safety, a bit maths and probability.

Dan Maloney12:13 PM
Help me out: OT vs IT?

eireann.leverett12:13 PM
Sure, a classic divide.

eireann.leverett12:13 PM
It's basically work culture OT is operational technology and IT is well, eveyone knows that...the point being...

toet12:14 PM
2 totally different worlds

Galactic creature 4212:14 PM
OT - Operational Tech. (All the ICS, Scada and IoT world) to separate from “office IT world”

eireann.leverett12:14 PM
In IT you are change fast, and in OT you want hardcore change management and safety checks.

Galactic creature 4212:14 PM
@toet exactly

Dick Brooks12:14 PM
Any opinions on SBOM to share?

eireann.leverett12:14 PM
So IT wants to patch everything as fast as possible and OT wants to avoid change until it's really well verified.

andypugh12:14 PM
But remarkably similar hardware and software? (Just different purposes)

JImmyMoe12:14 PM
Ok, but aren't we really talking about Enterprise Security?

Dan Maloney12:14 PM
Ah, operational. So, networks for the factory floor vs. "carpetland". Gotcha

eireann.leverett12:15 PM
Sure, and my experience is we can get them to work together, when they understand each other.

toet12:15 PM
exactly that

eireann.leverett12:15 PM
@Dick Brooks I can get there a little closer to the end. I'm a fan though. My thought is really how much more can we use it for.

toet12:15 PM
and that usually is a dayjob on its own

eireann.leverett12:16 PM
True, but a lot of security is culture change. make them eat and drink together in each other's teams.

Dick Brooks12:16 PM
@eireann.leverett happy to have that conversation

andypugh12:16 PM
There is a bit of this in my hobby (LinuxCNC) where we still support Ubuntu 10.04, because our users have working machines and don't want to risk that.

eireann.leverett12:16 PM
My mother says "People don't know what they ain't been through."

Dan Maloney12:16 PM
And sometimes, like with energy grids, the factory floor is basically as big as a continent

JImmyMoe12:16 PM
Anyone Else Going to Tonights 920SEC meeting here in Green Bay Wi. ?

eireann.leverett12:16 PM
So make 'em go through it and they suddenly have more capacity to understand each other.

RichardCollins12:17 PM
During Y2K I tracked the global status, then was hired to review the US Joint Chiefs' planning scenarios. Y2K required all systems to be checked. Is this that serious?

Dick Brooks12:17 PM
Pain is a wonderful educator.

eireann.leverett12:17 PM
If you don't mind, I want to make another general point.

Bill S12:17 PM
please

eireann.leverett12:17 PM
Infrastructure is like feet. You don't think about them or care for them until they stop working.

Galactic creature 4212:17 PM
@JImmyMoe Yes we are. But these worlds are so different…. To apply ptch for vuln (like sudo fix from late 2019) means to update 200k devices across company and distributed geographically in OT -> guess how many could be updated? (Hope you guess pess than 10% :lol). That’s what OT world will struggle for years

adamskhan12:18 PM
Hi Eireann, would you be able to provide some ideas on what the most difficult SCADA, ICS, OT security challenges currently are? Is it securing the devices themselves from physical and external remote attacks? Segregating the "SCADA" network from other areas of the organization? or something else entirely....

Galactic creature 4212:18 PM
@eireann.leverett epic truth :)

toet12:19 PM
my side its mostly segregation

Dawid Wesołek joined  the room.12:19 PM

toet12:19 PM
ruling out the flat network

eireann.leverett12:19 PM
Great question, but also depends on how you like your difficulty served. Network Segmentation is really hard say cultorally and organisationally.

toet12:19 PM
and creating test enviroments (sort of digital twins)

eireann.leverett12:19 PM
Securing applications is tough because we philosophically silo'd safety.

Mr.Unbekannt2.0 joined  the room.12:19 PM

eireann.leverett12:20 PM
So safety says we must X and security says we must Y and they don't integrate their thinking.

Dick Brooks12:20 PM
Lots of legacy related risks in operations too.

eireann.leverett12:20 PM
Much like OT and IT.

eireann.leverett12:20 PM
Indeed, risk management is about prioritising yourself on the risk register.

Galactic creature 4212:20 PM
@RichardCollins At 90’s there were 20 desktops in the company but now you have apmost alm stuff equiped with laptop or smartphone and almost every PLC runs its own OS with shit load of vulnerabilities

toet12:21 PM
dont touch a working environment :D

eireann.leverett12:21 PM
Guess what, most security folks didn't get into computers to do the economics of DDoS versus llightning storms.

eireann.leverett12:21 PM
So we have trouble beating weather for risk prioritisaion. :D

Galactic creature 4212:22 PM
@toet lol exactly

eireann.leverett12:22 PM
I also think protocols is REALLY hard.

russell paul joined  the room.12:22 PM

Bill S12:22 PM
I don't think the biggest issue with SCADA security is what needs to be done. Its how do you get anyone to enforce best / any security practices. I'll leave out small municipalities because they are smaller targets. My experience with industrial scada installations is that unless forced, they won't upgrade a thing until its on fire. It's hard to even blame them. They drop 100,000 to millions on a setup that gives no upgrades unless they drop a bunch more.

JImmyMoe12:22 PM
I used to have to keep 36 Computers in our 3 Classrooms for Architects and Engineers 3DS Max Training. I found it easier to keep up if I scheduled each of the 3 groups on a regular basis and or after each class had come to the end of their cycled training. Can't remember exactly what I had but it was something like 3 computers every other day which kept me sane! I was a One Man Show.

eireann.leverett12:22 PM
from both a security and safety design POV, but also adoption.

adamskhan12:22 PM
And I guess we can't always tie Y (what security says) back to a safety issue, to help emphasize the importance... though outages and potential destruction of the equipment are a huge problem, not seeming very likely.. gets back to how difficult it is to quantify cyber risk

Dick Brooks12:23 PM
Getting bad in the western US, water rationing, soon people will have to decide how to use the precious water that is available: people, plants, electricity or fire fighting - not good

eireann.leverett12:23 PM
@Bill S Completely fair, and we could talk security economics and regulation approaches across the globe.

toet12:23 PM
security implementation (what i experienced) needs a mandate from the plant operator he needs to push it

Dan Maloney12:23 PM
FYI, I'll post a transcript of the chat right after we're done, in case anyone needs to refer back to links, etc.

toet12:23 PM
(plant operator) i mean ceo

primetimber12:24 PM
CEOs usually work in the "there is no glory in prevention" mode

eireann.leverett12:24 PM
I hope people don't mind if i bombard the chat with some links and books.

toet12:24 PM
yes please

Dan Maloney12:24 PM
Bombs away!

eireann.leverett12:25 PM
On that regulation point, we wrote this for the European Union: https://www.conpolicy.de/en/news-detail/standardization-and-certification-of-the-internet-of-things/

Galactic creature 4212:25 PM
What’s you opinion on connecting OT devices directly to internet? (Take a look at shodan for high number of PLCs’ dorectly connected to internet)

Discussions