That certainly did strike a chord. What’s better than trust? Verification. The fact is that in ICS security, asset owners much too often simply trust their vendors’ claims about cyber security. Trust is not a bad thing, but for the more critical systems, it should be supported by verifiability. Some regulators in the nuclear domain have been smart enough to incorporate that criterion in their regulation.

Anyone who has been around in ICS security for some time may have had experiences similar to these:

• A vendor who is challenged on the security posture of his products counters with the argument that it must be secure simply because there are X deployments that have been running without problems for years (note: even if we accept this as a fact without checking, there were millions of Siemens S7 deployments before Stuxnet demonstrated multiple vulnerabilities in the bread-and-butter product).
• A vendor who is challenged on the security posture of his product flat out denies the allegation even though it is backed by his own technical documentation. A promise to straighten up the obvious discrepancy to the product documentation is not followed up upon.
• A vendor who is challenged on the security posture of his product responds with “no, that’s not true. We have checked this. That is not a problem.” without delivering any kind of technical details, not to speak about test results, that would support the claim.

Real-life examples like these demonstrate the sorry state of the art that we have to deal with. They also demonstrate a complete lack of understanding about cyber security on the part of specific vendors, no matter how many designated cyber security experts they might have on staff. (Usually the problem is more related to corporate culture than to staff members.)

ICS security for critical systems does not resolve into a matter of trust in the vendor. I don’t know if Dan intentionally implied it, but this notion apparently is in discrepancy with Bruce Schneier’s recent thinking on cyber security and trust. With the asset owner usually accepting all the responsibility, not to say risk (!), it’s the latter’s duty to demand verifiable information that backs up the vendor’s claims. If the request for verification catches the vendor with his pants down, as it happens from time to time, it demonstrates the need for the exercise — and, maybe, to start searching for competitors.

Verifiability and verification are important concepts to separate the hot vapor in ICS security from hard fact. We encourage asset owners to use these concepts to their advantage even when not mandated by a regulator.

Ralph Langner

The ICS Security Salon will initially take place on June 24, 2013 in Munich with Dale Peterson as its prime speaker. Dale is founder and director of Digital Bond and an internationally recognized thought leader in ICS security.

Registration information and agenda can be found here.

According to our analysis, the devices referred to by Symantec as “auxiliary valves” have a completely different function: They do not act as inter-stage shutoffs that would isolate individual stages (thereby blocking the whole cascade). Our intelligence suggests that the first fifteen of these devices act as overpressure relief valves.

The footage above is a close-up of a SCADA screen in the Natanz control room from 2010 and shows some of the respective devices as grey objects, labeled EP-4106 to EP-4111, in a non-standard piping & instrumentation diagram. The green arrows indicate direction of flow, which is always out of the centrifuges to an independent collector line on top of the picture, shown in green. This collector line is separate from feed, product, and waste, and obviously has protective rather than productive function.

A better understanding of the basic piping structure can be obtained by looking at the full screen shots that we published earlier. – The depicted millibar pressures should be ignored as the respective cascade is in startup mode when the picture was taken.

The best match we could identify in plant floor footage is shown below, with target objects highlighted by us.

Executive summary:

Rather than a much-needed initiative to break the legislative deadlock on the subject in Congress, President  Obama’s  new  executive  order  for  improving  critical  infrastructure  cyber  security  is  a  recipe  for continued failure. In essence, the executive order puts the emphasis on establishing a framework for risk management and relies on voluntary participation of the private sector that owns and operates the majority of u.S. critical infrastructure. both approaches have been attempted for more than a decade without measurable success. a fundamental reason for this failure is the reliance on the concept of risk management, which frames the whole problem in business logic. business logic ultimately gives the private sector every reason to argue the always hypothetical risk away, rather than solving the factual problem of insanely vulnerable cyber systems that control the nation’s most critical installations.

The authors suggest a policy-based approach that instead sets clear guidelines for asset owners, starting with regulations for new critical infrastructure facilities, and thereby avoids perpetuating the problem in systems and architectures that will be around for decades to come. In contrast to the IT sector, the industrial control systems (ICS) that keep the nation’s most critical systems running are much simpler and much less dynamic than contemporary IT systems, which makes eliminating cyber vulnerabilities, most of which are designed into products and system architectures, actually possible. Finally, they argue that a distinction between critical and non-critical systems is a bad idea that contradicts pervasiveness and sustainability of any effort to arrive at robust and well-protected systems.

SCADA screen for 17 stage, 174 centrifuge IR-1 cascade

In February 2012, Iranian TV aired several news clips about Natanz. In one of them, a SCADA screen of the new 17 stage, 174 centrifuge IR-1 cascade is shown. Look closely at the familiar four rows of green dots at the top that make up the centrifuge drive system monitor, connected to Siemens S7-315 PLCs. This time, the vertical red lines in the display are not inserted by us. They are in the original footage.

SCADA screen for 15 stage IR-2 cascade

The second screen shows a next-generation IR-2 cascade with 15 enrichment stages. Color contrast is enhanced to make the lines stand out. Again, the vertical lines are in the original footage.

From those two screen shots it is easy to determine the exact shapes of both the 17 stage IR-1 cascade and the 15 stage IR-2 cascade. Even better, the (non-standard) piping & instrumentation diagrams below the centrifuge drive system monitor area provide excellent insight in the architecture of Iran’s unique cascade protection system, connected to Siemens S7-417 PLCs, which plays a major role in the Stuxnet 417 attack sequence. Besides, it is quite obvious from comparing the different screens, along with other footage, how much the plant design and piping are work in progress.

Credits

Scott Kemp (Harvard University)

Manuchehr Honarmand (Lenziran.com)

The deeper wisdom is something like this. For offensive cyber activities there is a business case. You can make something happen for a competitive price. For passive defense there is not. You will perhaps prevent something that might not happen in the first place. Looking at it in terms of economics, offense has a clear advantage – at least in the short term. Therefore it should not surprise that substantial amounts of money are funneled to offensive cyber programs, and neither should it surprise that enough cyber foot soldiers are eager to grab that money. The few renegades over at the light side of the force justify pursuing their ill-funded low-budget act by citing Yoda’s traditional saying, protecting yourself not profitable is. The right thing to do it is.

Ralph Langner

Cyber-physical attacks and national security

INSS conference on cyberspace and national security, Tel Aviv

Cyber warfare: Preparing for the inevitable

ICT summit Eurasia, Istanbul