Close

Hack Chat Transcript, Part 3

A event log for SCADA Security Hack Chat

There's a lot of infrastructure out there

dan-maloneyDan Maloney 07/14/2021 at 20:330 Comments

Galactic creature 4212:52 PM
anomies = anomalies ;)

andypugh12:52 PM
@Dan Maloney I am thinking that there might be a Hackaday article just in this bibliography

Patrick C Miller joined  the room.12:52 PM

Dan Maloney12:52 PM
@andypugh - You may be right about that

toet12:53 PM
leverage your engineer, sit next to them learn everything from them these people know more than the average plant worker keep these people close and than make the frontrunners

eireann.leverett12:53 PM
I used to start with doughnuts and coffee. By which I mean getting to know them better without asking anything. Then find some of their problems and help them solve it. Introduce security tools as ENGINEERING tools. For example, I taught the change management team to get hashes of firmware for CHANGE MANAGEMENT LOGS, and only then did I show them the value for security.

Galactic creature 4212:53 PM
@toet will take this approach and try it

toet12:53 PM
this everyday

eireann.leverett12:54 PM
Also, understand that risk officers have to choose between a thousand "could happens". if you can quantify the impact then they start to pay attention.

DM12:54 PM
That's great, thanks!

eireann.leverett12:55 PM
there's a subtle point there...you need (as security people) to have SOMEONE in risk meetings...not just to amplify your risks, but also to prevent other risks destroying good security where it does exist.

toet12:55 PM
most of all take the time to learn and like @eireann.leverett said coffee will get you a headstart

eireann.leverett12:55 PM
let me give you an example:

eireann.leverett12:56 PM
A unamed Norwegian electrical provider that existed since the sixties basically had a phone network because for safety reasons they needed a phone in every substation.

eireann.leverett12:56 PM
it was old school copper pair

eireann.leverett12:56 PM
so far so good, then it's 2000 and the CFO wants to save money and upgrade things, so they switch to IP telephony

eireann.leverett12:57 PM
I mean why run a telephone company when you don't need to? All those copper repairs are expensive.

eireann.leverett12:57 PM
Cue to talented and handsome penetration testers with hard hats and moustaches and viola, every time we pwned an IP phone we got a substation for free.

eireann.leverett12:57 PM
What my point?

eireann.leverett12:58 PM
A security person needed to be in ther telling the CFO and CRO why IP telephony could become a problem.

Galactic creature 4212:58 PM
Got it.

eireann.leverett12:58 PM
You wouldn't have gone to that meeting as a security person, so someone needs to be in all those boring risk meetings :D

Galactic creature 4212:59 PM
Lol exactly

eireann.leverett12:59 PM
Incidentally, norwegian hackers are off the hook and greetz to Hackeriet ;)

Patrick C Miller12:59 PM

eireann.leverett12:59 PM

https://hackeriet.no/index.en.html

HACKERIET

Hackeriet

Norsk Blog Wiki 2021-06-22: Hackeriet has carefully reopened since the COVID-19 situation has improved in Oslo. All creatures welcome! 2021-05-26: Our IRC channel #oslohackerspace has moved to Libera.chat Stay safe, and be excellent to each other! Hackeriet is a community operated hackerspace in Oslo where people tinker with software, networks, art and hardware, learn from each other.

Read this on Hackeriet

eireann.leverett12:59 PM
Loving it Patrick!

eireann.leverett12:59 PM

https://s4xevents.com/

S4XEVENTS

S4x22 ICS Security Event

Set free a conservative, slow moving, change resistant community to discover new ideas and come up with innovative ways to use these new ideas to deploy secure, resilient and better ICS. 719 of the world's best in OT and ICS Security attended S4x20. S4x21 was lost to Covid.

Read this on S4xevents

eireann.leverett12:59 PM

https://cs3sthlm.se/

CS3STHLM

CS3STHLM | Home

The Premier Cyber Security Conference for ICS/SCADA and Critical Infrastructure The Summit CS3STHLM - the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems - is an annual summit that gather the most important stakeholders across critical processes and industries.

Read this on Cs3sthlm

Patrick C Miller12:59 PM
Great to see you! Awesome stuff!

eireann.leverett1:00 PM

https://www.emfcamp.org/

ELECTROMAGNETIC FIELD

Electromagnetic Field

Electromagnetic Field is a non-profit UK camping festival for those with an inquisitive mind or an interest in making things: hackers, artists, geeks, crafters, scientists, and engineers. A temporary town of more than a two thousand like-minded people enjoying a long weekend of talks, performances, and workshops on everything from blacksmithing to biometrics, chiptunes to computer security, high altitude ballooning to lockpicking, origami to democracy, and online privacy to knitting.

Read this on Electromagnetic Field

Ron Fabela1:00 PM
:heart:

eireann.leverett1:00 PM

https://en.wikipedia.org/wiki/The_Heroes_of_Telemark

WIKIPEDIA

The Heroes of Telemark - Wikipedia

The Heroes of Telemark is a 1965 British war film directed by Anthony Mann based on the true story of the Norwegian heavy water sabotage during the Second World War from Skis Against the Atom, the memoirs of Norwegian resistance soldier Knut Haukelid.

Read this on Wikipedia

Patrick C Miller1:00 PM
Can confirm. S4 and CS3 rock.

eireann.leverett1:00 PM
I know that's our time, but I'll stick around a bit more. Too many friends in this party.

DM1:01 PM
Thank you for those insights @eireann.leverett and @toet !

eireann.leverett1:01 PM

https://longnow.org/clock/

LONGNOW

The 10,000 Year Clock

The full scale 10,000 Year Clock is now under construction. While there is no completion date scheduled, we do plan to open it to the public once it is ready. The essay below by Long Now board member Kevin Kelly discusses what we hope the Clock will be once complete.

Read this on Longnow

Galactic creature 421:01 PM
Thx for pointing very interesting stuff 🙏😎

eireann.leverett1:01 PM
I think this project was super cool.

Dan Maloney1:01 PM
Yeah, by all means, keep the conversation going. I'll wait to pull the transcript -- too much good stuff

toet1:01 PM

https://mch2022.org/#/

MCH2022

MCH2022 - May Contain Hackers 2022

MCH2022 is a nonprofit outdoors hacker camp taking place in Zeewolde, the Netherlands. The event is organized for and by volunteers from and around all facets of the worldwide hacker community. Knowledge sharing, technological advancement, experimentation, connecting with your hacker peers and of course hacking are some of the core values of this event.

Read this on Mch2022

Patrick C Miller1:02 PM
Did we already cover airgaps?

Patrick C Miller1:02 PM
/me ducks

eireann.leverett1:02 PM
I think alot about infrastructure over time...especially 100 year chunks or more.

toet1:02 PM
next year its in the Netherlands again

eireann.leverett1:02 PM
LOL

primetimber1:02 PM
ty

eireann.leverett1:02 PM
I love visualisations like this: https://www.visualcapitalist.com/visualizing-50-years-of-the-g20s-energy-mix/

andypugh1:02 PM
@eireann.leverett I think it might have got lost in the scroll, but I seem to recall that, using Shodan, you got into some very interesting places?

Dan Maloney1:02 PM
But I will say the "official" thank-you to Eireann for his time today, and to @andypugh for helping to set this up. Andy gave me the suggestion to reach out to Eireann, and I encourage everyone to do the same -- let me know who you want to hear from and I'll try to make it happen.

Ron Fabela1:03 PM
You can't just come in here @Patrick C Miller and talk about airgaps, not until we've discussed in detail level 0 monitoring

eireann.leverett1:03 PM
We did, and I forgot @Dick Brooks SBOM comments too, so I'll hit those.

Patrick C Miller1:03 PM
Also, a Danish event coming in November, for anyone in the area...

Patrick C Miller1:03 PM

https://insightevents.dk/events/scada/

Patrick C Miller1:03 PM
Should I go ahead and say sensors?

toet1:03 PM
same as zero trust??

eireann.leverett1:04 PM
We found a electrical substations, dams, foundries, and many other small and large infrastructural things.

toet1:04 PM
(runs and hides)

eireann.leverett1:05 PM
Now it's like a yearly event where some masters student find infrastructure with Shodan. I never thought it would be a timeless piece...but there you go. To punish me for my derision of authority they have made me an authority. :D

eireann.leverett1:05 PM
Now. SBOM....

Dick Brooks1:05 PM
cool

eireann.leverett1:05 PM
I think it's crucial...

eireann.leverett1:05 PM
One of the real world problems is: Vulnerability inheritence

eireann.leverett1:06 PM
Someone writes a vulnerable library and everyone uses it and no one knows where it is....if you think carefully about it you realise it's a problem both ways....

Patrick C Miller1:06 PM
Is @ericbyres on the chat?

Galactic creature 421:07 PM
Yes!!!

eireann.leverett1:07 PM
Like I want to deploy this Garretcom switch but how would I know it has GE vulns because it was whitelabelled?

eireann.leverett1:07 PM
It works the other way too....who uses my software a decade after I wrote it? especially if it is open source....

eireann.leverett1:07 PM
It's really hard to track all that, unless......SBOM

Dick Brooks1:08 PM
One big problem that SBOM helps solve is the requirement to identify a software supplier - which is not a requriement in today's SW distributions

eireann.leverett1:08 PM
That will help us against supply chain attacks too.

Galactic creature 421:09 PM
I’ve found my software which I compiled 20y ago still being available for download :) (latest download 2021 june…) 🤣🤣🤣

Dick Brooks1:09 PM
Agree. And will help sw customers verify the supplier and digital signature/signing party are legit.

eireann.leverett1:09 PM
I confess though I am itching to use SBOM for something people don't expect.

eireann.leverett1:09 PM
Though I don't know what yet...I was waiting for it to mature a bit and have data.

Galactic creature 421:10 PM
Sorry for stupid question - What does SBOM stands for?

Patrick C Miller1:10 PM
Software Bill of Materials

Dick Brooks1:10 PM
I use SBOM for corroborating evidence in a SW risk assessment; i.e. does the digital signature align with the supplier in the SBOM and the signing key on file for that supplier - very effective.

Patrick C Miller1:10 PM
And that's not a stupid question.

eireann.leverett1:10 PM
So for example, we used NVD last year to forecast vulnerabilities

eireann.leverett1:10 PM

https://arxiv.org/abs/2012.03814

ARXIV.ORG

Vulnerability Forecasting: In theory and practice

Why wait for zero-days when you could predict them in advance? It is possible to predict the volume of CVEs released in the NVD as much as a year in advance. This can be done within 3 percent of the actual value, and different predictive algorithms perform well at different lookahead values.

Read this on arXiv.org

Dick Brooks1:10 PM
yes SBOM = Software Bill of Materials @Patrick C Miller

Galactic creature 421:11 PM
Got it, thx @Patrick C Miller

eireann.leverett1:11 PM
Under peer review still, but kind of cool work with lots of applications to ICS/OT networks

Dick Brooks1:12 PM
Very poor signal/noise ratio when searching NIST NVD for vulns using SBOM data. Need alignment of SBOM data models and Vuln repositories.

eireann.leverett1:12 PM
For example, if I can tell you AIX will get between 6-8 vulns next year, you can plan your forklift upgrades accordingly.

eireann.leverett1:12 PM
@Dick Brooks and that will take a while...I wouldn't use it for Vulns necessarily.

eireann.leverett1:13 PM
My point is just....I think SBOM will give us capabilities we never expected.

Dick Brooks1:13 PM
What would you use to ID vulns in a proactive process, before installation?

eireann.leverett1:13 PM
Oh, and while we're here: PYLONS ROCK!

Patrick C Miller1:13 PM
Interesting concept/approach @eireann.leverett. Forecasting the "vulnerability load" for software or even components (libraries, etc) based on history? Did I understand that correctly?

eireann.leverett1:13 PM

https://pylons.org/

PYLONS

Pylon Appreciation Society - Pylon Appreciation Society

Who are we and what do we do? "It's funny how many people accuse me of being mad or geeky - and then they send me photos or ask for more information!" It's simple: the Pylon Appreciation Society is a club for people who appreciate electricity pylons.

Read this on Pylons

eireann.leverett1:13 PM
Yeah Patrick

eireann.leverett1:14 PM
We found you could forecast vulnerabilities up to a year in advance

Patrick C Miller1:14 PM
That will help understand total cost of ownership of platforms.

Galactic creature 421:14 PM
Hmmm interesting idea

eireann.leverett1:14 PM
not exactly what vuln of course, but rouch counts for all software and for some specific vendors (60 or so)

eireann.leverett1:14 PM
Bingo

Discussions