Digital Bond’s S4x14 is the first ICS/SCADA security conference of the year which means it gets the juices flowing again after the holidays. Â This year was a little different than previous years as Dale Peterson chose the speakers based upon “New People, New Techniques, and New Process Impact.” Â Bringing new people and new ideas to tackle the problem of “insecure by design” ICS components. Â There were about 50 more attendees this year over S4x13. Â Dale also added “OTDay” on the day before S4 as a vehicle to talk about how to apply security best practices to Operational Technology. Â Another new addition was “ICSage” on the day after S4 and it focused solely on ICS Cyber Weapons.
A few presentations I enjoyed were:
Jason Larson of INL spoke about miniaturizing spoofing code down to fit on an embedded industrial sensor and the playback algorithm needed to make the signal look normal enough to an operator. Â It makes you think about what INL is working on behind closed doors, doesn’t it?
I applaud Matthew Theobald from Schnieder Electric for getting up in front of the SCADAsec professionals and show that a large vendor can embrace SDL and how they are even applying it to legacy code.
We popped the popcorn during the SCADA Apologist/SCADA Realist debate between Dale Peterson and Eric Byres. Â It was a fun debate, but I am not sure if anyone in the audience changed their minds about the whole ongoing debate.
Darren Highfill, Sergey Bratus, & Meredith Patterson spoke about how traditional software parsers are inherently broken and that a new approach is required to fix the issue of “shotgun parsers.” Â Protocols are languages -Captain Obvious- but how can language theory be applied to a SCADA protocol like DNP3? Â Language Security LangSec is a very cool concept. Â If I say “Hannah Jack I’m everybody hi”, your brain knows that what I said was English, but it didn’t quite fit sentence structure rules. Â Meredith is working on adding DNP3 protocol to Tongs, the standard library for the open source Hammer parser. Â Stay tuned.
Got to finally meet Jim Gilsinn and hear his short talk about analyzing ICS/SCADA protocols. Â The idea of knowing how your system normally talks and what is being said is a great way to know if something is abnormal or perhaps malicious. Â Yes this even ties in to LangSec and to what we were researching. Â Now…to figure out how to whitelist human communications with certain people I know…and no I’m not talking about you. Â But you on the otherhand…
Rotem Bar gave an interesting talk on poor API design in ICS/SCADA. Â He showed how a weak API design is a cause of vulnerabilities. Â This dovetailed nicely into our talk as well…as we found evidence of weak APIs in DNP3 implementations.
Lastly,  Adam Crain and I presented our Project Robus vulnerability research about DNP3 protocol implementations.  Check out the video of our talk here, Dark Reading article here, Threat Post article here,  and a nice post from my friend Ron Fabela here.  It was an honor to be able to show how two people can help change an industry that has been stuck in insecurity.  This is just the beginning and we have a lot more work to do (including more protocols).
More shameless self-promotion: next week, I will be on a panel at DistribuTECH in San Antonio talking about DNP3 protocol (imagine that) and several ways for end users to mitigate the DNP3 implementation bugs we uncovered (and even those we haven’t found yet). Â After that, Adam and I will be at SANS ICS Security Summit in Orlando in March. Â Adam will be releasing the Aegis fuzzer as open source (including DNP3) at the event.
Special thanks to Security Intern for agreeing to send me some LiquidMatrix stickers…come find me sometime and I’ll give you one.