• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
RCMP 2010

RCMP 2010



Provided a demonstration about current information sharing and collaboration issues within the SCADA/control systems community, and some of the challenges (and advantages) encountered since its ...

Provided a demonstration about current information sharing and collaboration issues within the SCADA/control systems community, and some of the challenges (and advantages) encountered since its inception back in 2008.



Total Views
Views on SlideShare
Embed Views



4 Embeds 7

http://www.linkedin.com 3
http://www.lmodules.com 2
http://www.slideshare.net 1
http://www.slashdocs.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    RCMP 2010 RCMP 2010 Presentation Transcript

    • Insight into the SCADASEC Community: Tales from the Trenches Royal Canadian Mounted Police / Public Safety / Emergency Management Protecting Canada's Critical Infrastructure 2010 Control Systems Security Workshop Thursday, April 15, 2010 Bob Radvanovsky, CIFI, CISM, CIPS [email_address] Creative Commons License v3.0.
    • What is Infracritical?
      • Started as a ‘grassroots’ / basement company (quite literally)
        • Data center is located within the basement of its principal founder.
        • Consists of a strategic thinker, an OPSEC professional, and an engineer.
      • Focus is on strategic ‘future-thought’ including research on CIP and homeland security
        • Includes SCADA security, user awareness, and education.
      • Clearinghouse for individuals to research ideas regarding CIP and homeland security issues / topics
        • Outcome are whitepapers, journals, books, etc.
      • Purpose is to create a stable / open environment for information sharing and research, as well as provide resources for independent researchers
    • What is the SCADASEC mailing list?
      • Incepted Wednesday, February 6, 2008
      • Started based on the need to share information about ‘industrial control systems’ security
        • At the time the list was created, nothing publicly existed.
      • Started as a ‘grassroots’ group consisting of several individuals from IT and control systems communities
      • Not formally created (not incorporated – not yet )
        • Currently working on formally creating SCADASEC.
    • What is the Mission of the SCADASEC mailing list?
      • To discuss and formulate ideas, concepts and theories about/regarding security of critical infrastructures as well as industrial control systems, and what impact(s) may result from their disruption
      • Discussions are strategic in nature (non-specific)
      • Discussions are non-commercial – no advertising
      • Some discussions considered “Minus-1 Day” (1)
      1. Discussions on SCADASEC have led to “Zero Day” vulnerabilities found in several ICS architectures.
    • SCADASEC as an Intelligence Resource
      • Provides email distribution through non-digested and digested modes (digested modes once per day)
      • RSS feeds available for top 30 daily discussions from digested distro
      • RSS feeds taken from other sources and incorporated into daily (once per day) RSS “feed blasts” (similar discussions elsewhere about SCADA)
      • Email discussions are archived locally and available for further research
      • Search engine available for general public (Google engine)
    • Search Engine Capabilities of the SCADASEC list
      • Search engine is built on the same server as the mailing list
      • URL: http://mlsearch.infracritical.com
    • The example here is searching based on the keyword “brazil”; there were heated debates about the recent Brazilian power outage in late 2009
      • Cultural, social and philosophical diversities pose a challenge between those from the Information Technology and the SCADA / Industrial Control Systems security communities
      • Informal “cease fire” reached between factions; both sides still passionate about their positions (“we’re right; the other side is wrong”)
      • Constantly play “referee” between factions (and certain members)
      • SCADASEC is considered a “No Man’s Land” – a safe haven sanctuary to openly discuss and debate various topics
      Challenges Encountered on the SCADASEC List
      • SCADASEC is non-commercial – no advertising
      • SCADASEC is non-classified – no classified and/or CUI/FOUO information
      • SCADASEC is neutral and unbiased
      • SCADASEC is international – critical infrastructures/control systems are used throughout the World, not just the U.S. or Canada
      • Everyone has a fair chance at discussing/debating their concepts or theories (some more than others), as long as they “play nice”
      Policies of the SCADASEC list
      • Most of the participants are representing themselves as individuals (partially for legal reasons); keep it fair, keep it real…
      • Discussions can have company signatures (some are more verbose than others), but try and keep signatures as short as possible
      • The ONLY advertisements allowed are for conferences and/or educational workshops (includes book announcements, too)
      • Notifiers are allowed to post ONE posting for their conference
      • Notifiers are allowed to post ONE UPDATE – that’s it!
      SCADSEC is Non-Commercial
      • Everything discussed on SCADASEC is “open source” ; meaning, all information is “OSINT” and is publicly obtainable (via Google)
      • NO sensitive information (U.S. “Controlled Unclassified Information”) allowed whatsoever; any such information found is censured
      • NO intelligence information (U.S. “For Official Use Only”) allowed whatsoever; one incident had posting regarding discussion of documents obtained through security flaw on U.S. WaterISAC web site; incident was contained and censured, authorities were notified
      • NO corporate intellectual property and/or confidential information allowed whatsoever; any such information found is censured
      SCADASEC is Non-Classified
      • Certain individuals feel that SCADASEC is their personal mailing list for their specific agendas; unless they are paying Infracritical, it is for everyone, not just one individual
      • Everyone is entitled to their opinion
      • No one person is right – or wrong; in most circumstances or scenarios presented, there is no one right answer or solution
      • Neither the owner, nor the moderators, have any strongly biased opinions on any of the topics presented or discussed
      • No slander, no name-calling – play nice – or find another “sandbox”
      SCADASEC is Neutral and Unbiased
      • SCADASEC has representation from most major countries:
        • U.S., Canada, U.K., Australia, New Zealand, Japan, Brazil, Germany, Italy, France, Argentina, Singapore, Hong Kong, Malaysia
      • SCADASEC has representation from the following sectors:
        • Energy, Transportation, Water/Wastewater, Food/Agriculture, Emergency Management, Government, Critical Manufacturing
      • SCADASEC has representation from many military, intelligence and federal/national law enforcement groups (not named - * shhhh* )
      • SCADA security, like Critical Infrastructure Protection, has far-reaching impacts across borders than traditional Public Safety/Homeland Security
      SCADASEC is International
    • Accurate statistics available to general public; information is shown in graphical format only – no specific datapoints http://news.infracritical.com/xmlstats.php?s=scadasec (2) 2. http://news.infracritical.com/xmlstats.php?s=scadasec&m=12&y=09 returns info for December 2009.
      • Approx. 1023 users [as of 14-Mar-2010], growing by 1-4 pp/D
        • SCADASEC “hit” 1000 members just 3 days prior to our Two Year Anniversary
      • Approx. 50 users active (roughly 5% ± 1.5% of total membership)
        • SCADASEC has a record number of 53 participants in one month [Jun 2008]
      • Average number of monthly postings is between 150-450 per month
        • SCADASEC had a record number of 452 postings in one month [Jun 2008]
      • Average number of daily postings is between 5 and 15 per day
        • SCADASEC has a record number of 102 postings in one day [12-Mar-2010]
      Some Interesting Statistics about SCADASEC
      • Some recent statistics:
        • Dec 2009 – 165 postings, average 5.32 p/D
        • Jan 2010 – 224 postings, average 7.23 p/D
        • Feb 2010 – 169 postings, average 5.45 p/D
        • Mar 2010 – 282 postings, average 9.09 p/D
      • Recent topics included:
        • Recent Brazilian power outage in 2009
        • Los Angeles (U.S.) signaling computer breach
        • Smart Grid Initiative (SGI)
        • SCADA certifications
        • Cloud computing
        • Virtualized environments
        • RSA conference (2010)
      Some Interesting Statistics About SCADASEC
      • SCADASEC provides a public venue that most organizations have either tried or cannot do (policy/legal restrictions, laws, et. al)
        • Private, third-party entity that is outside realms of industry and govt.
      • SCADA/control systems provide the backbone to infrastructures
        • Output from infrastructures strongly dependent upon how secure our SCADA / control systems are operationally.
      • “ Domino Effect” – if one area is impacted, others may be, too…
        • If Energy is disrupted, this will impact Transportation, etc., etc.
      • Like CIP, SCADASEC is far-reaching, knowing no borders…
      How does SCADASEC relate to/with CIP (3) ? 3. http://books.google.com/books?id=oPi2SNHhowcC&printsec=frontcover&dq=radvanovsky&ie=ISO-8859-1&cd=4#v=onepage&q=&f=false.
      • “ CIP” does NOT mean “cybersecurity” (CIP ≠ cybersecurity)
        • Although “cybersecurity” is subset to “CIP”, it isn’t the only factor that makes CIP “critical infrastructure”; it combines all aspects of security.
      • The term “cybersecurity” is nebulous and confusing; are they talking about IT security or are they talking about SCADA security?
        • Both industry and government need to differentiate between IT and SCADA security; SCADA security is its own class, despite integration issues between IT and non-IT environments.
      • CIP is about protecting an overall organizations’ operations, not necessarily it’s assets (physical or logical) (4) -- meaning ‘holistic’.
      Are there any Issues with SCADASEC and CIP? 4. http://books.google.com/books?id=oPi2SNHhowcC&printsec=frontcover&dq=radvanovsky&ie=ISO-8859-1&cd=4#v=onepage&q=&f=false.
      • Changes implemented in “SCADA Land” cannot be easily undone as with “IT Land”
        • In an IT environment, patches or firmware fixes are simply backed out; with SCADA environments, this might mean production shutdown for several hours – to several days – depending on complexity of issue(s).
        • Vulnerabilities found on or announced on the SCADASEC list pose a challenge for containment and proper handling of such information.
      • SCADASEC mailing list hopes to address some of the socio-economical / geo-political issues surrounding these differences
        • Until more formalized educational capabilities exist – for now – SCADASEC fills a niche market.
      Are there other Challenges with SCADASEC?
    • Photos of Infracritical’s Data Center Second server from bottom houses SCADASEC, along with 12 other mailing lists, both publicly and privately operated. Infracritical’s data center consists of legacy equipment that was donated; approx. 30 servers active at any time.
    • Questions? Bob Radvanovsky, (630) 673-7740 [email_address] A copy of this presentation may be found at our web site: http://www.infracritical.com/papers/scadasec-2010.zip Creative Commons License v3.0.