Well, I finished Kim Zetter’s book, Countdown to Zero Day.

Overall a great story. Good read for anyone who wants to get an idea for the last eight or so years of action in the ICS security space. I’m recommending it to family members and friends who want to “get” what I do.

I had to wonder though about a couple of ideas/concepts/parts in the book.

1. DHS Capabilities

Within two days, [DHS] had catalogued some 4,000 functions in the code–more than most commercial software packages–and had also uncovered the four zero-day exploits that Symantec and Kaspersky would later find.” (p. 187)

Now, I’ve heard the Stuxnet story from DHS analysts before, but in contrast with Zetter’s descriptions of the Symantec effort, this seemed unrealistic. The idea (apparently expressed by DHS leadership at the time) is that what took Symantec’s brightest minds weeks of painstaking effort (see pp.52-54), DHS could whip out in two days?

I’m not saying it’s not possible, and maybe I am misinterpreting the story, but there seems to be a stark contrast there.

2. “Getting caught”

Perhaps the biggest consideration of all was the risk of tipping off Iran and other enemies to US cyber capabilities. ( p. 191)

This gets back to a fundamental difference between Zetter’s view and mine. I think in the end, what we know as “Stuxnet” was intended to get caught. It was (or at least included) an overt signal to Iran that the USA and perhaps Israel was all in their business.

Consider for example, that the worm recorded every computer it had infected. It’s payload was weakly encrypted. Some versions were released after the Natanz target was hit. The code included decipherable references to Iran and Israel and the USA. With several zero days and additional propagation vectors, the worm (at least the versions that were found) couldn’t and wouldn’t keep quiet for ever.

I don’t believe a highly professional and competent group could/would plan an operation like Stuxnet without carefully considering OPSEC and making intentional choices. I lean towards the idea that at some point Stuxnet’s “going public” wasn’t a surprise or a mistake, it was an intentional statement.

Critical Intelligence launched a new — and unique — service offering for companies that own and operate critical infrastructure. It’s called ReconX.

Website Screenshot

It’s a different sort of offering from the myriad voices talking about risk consulting or security program building or penetration testing. ReconX is all about the concept of reconnaissance exposure.

What is Reconnaissance Exposure?

It is essentially a bench mark or baseline for the important question “what does an adversary reasonably know about how to attack me?”

Questions examined in the course of an assessment could include (among many others):

• Who are my key employees (to include ICS engineers and control room operators)?
• What contact details (including passwords) are public for my employees?
• What information are those employees leaking via LinkedIn or Instagram?
• Who are my key suppliers?
• What information about my company are those suppliers leaking via case studies on their Web sites?
• Who regulates me? What potentially sensitive or “useful” information exists in publicly accessible government databases about my company?

Examples of bad practice (AKA information leaks) are way more common than you might hope. Here’s a quick one:

A Chinese national attending a U.S. university did an internship at a major electric utility. Numerous details of a substation upgrade were written up as part of an “academic report” and posted to the world wide web.

Your quarterly penetration test is not likely to catch that — because that’s not the objective.

So, you might try something different this time around. For more information, head to the CI Web site, download the glossy and contact Critical Intelligence.

On December 2, ICS-CERT pushed an update to a vulnerability advisory for Emerson ROC RTUs. The original advisory was published on September 26, 2013.

Most ICS-CERT advisory updates include incremental information, such as the vendor identified more vulnerable versions, or the vendor released a patch. When you open up the Emerson ROC vulnerability update that is the impression you get:

So, when you read this, you believe that Emerson has released a patch and that the patch has been validated by the researchers who disclosed the vulnerabilities. Seems simple enough.

But keep reading and you see that the little update wasn’t so little:

Capture replay is a HUGE deal. Essentially this means that a lack of authentication for communications allows an attacker to send the vulnerable RTU whatever commands he had previously recorded.

But it’s okay, because it has been patched right? I mean “Update A part 1 of 3” says in direct terms:

Emerson Process Management has produced a patch that mitigates these vulnerabilities.

Well, keep plowing into the depths of the document, because you may never guess what’s coming next:

That’s right: There is no patch! This could be interpreted to mean that there is no patch. You need may actually need to install another device on your network to mitigate the issue.

My conclusion: Many vulnerability communications are not serving the needs and interests of firms that are actually operating critical infrastructure.

Critical Intelligence conducts its own analysis of every ICS vulnerability it comes across to make sure the utilities, water facilities, and refineries operating industrial systems:

• Don’t miss publicly disclosed vulnerabilities
• Don’t get lost in the details
• Accurately understand the possible impacts to the processes they run

If you are really trying to protect critical infrastructure, then you’ve got to communicate clearly. To get that type of communication, subscribe to the Core ICS Intelligence Service.

UPDATE Dec. 18, 2014: ICS-CERT now confirms that the Emerson patch did not address the capture-replay attack.

Reading through the news, I came across the Bloomberg BTC pipeline explosion piece.

If cyber attacks on the pipeline were news to you, they shouldn’t have been.
Critical intelligence covered the cyber aspect of this story (though perhaps not in the same set of details) in its report entitled “Report claims Russia conducted cyber attack on strategic pipeline” issued August 30, 2009. Critical Intelligence has made the report publicly available.

Among the interesting things we found those five years ago was an advanced technology threat assessment for the pipeline.

If you don’t want to hear about ICS security events five years later, subscribe to the Critical Intelligence Core ICS Intelligence Service