[CLASS 2014] Palestra Técnica - Alexandre Euclides

© Siemens Industry, Inc. 2014 All rights reserved. Answers for industry.

Constructive Tension:

The Vendor/Researcher Relationship

CLASS 2014 - 1st SCADA Security Conference LATAM

© Siemens Industry, Inc. 2014 All rights reserved.

2014-Nov-05 H. Brian/ I DF RD SEC

• Introduction

• Background of Siemens Industrial Security

• Goals of ICS Vulnerability Disclosure

• Siemens Disclosure Policy

• Other Vendors Disclosure Policies

• Researchers Disclosure Policies

• Areas of Agreement

• Ideas for Improved Cooperation

• Conclusions

• Q&A

Agenda



Personal Introduction

Who Am I?

Harry Brian

Siemens Industry Digital Factory, R&D

Responsible for Product and Solutions Security, North America

PLC, HMI, Drives

Previously:

Product and Project Management, System Test

Founder and general partner of Paragon Control Systems

B.S. Computer Science - North Carolina State University

Several SANS certifications



Product Security Responsibilities

Digital Factory

PLC

Drives

HMI

Networking

SCADA



Johnson City, TN USA Product Development

S7-200

WinAC

PLCSim

S7-1200



Industry Security Network

Product and Solution Security Office

Security System

Architecture Research & Development

CS Value Services

System Test

Customer Support

Consulting, System

functions

Interface to Office-IT

Security Lab International

Hubs

Process Improvement

Secure PC / HMI

Hardware Integrity

Security Requirements

Security Marketing & Comm

Standards, Regulations,

internal Assessment

Central Office – HQ Nuremburg

Security Experts from all organizations

Full-time and Part-time Security

Product and Process Experts

Close to customer Requirements



Singapore

Brazil

Russia

China

France

India

North America

UK

HQ

North America

Brazil

Siemens Regional Security Hubs

Monitor the Regional

Security Environment

Respond to reports of

SIMATIC Security Incidents

Interface to External Security

Researchers

Interface to Regional CERT

Coordinate / Resolve

customer questions

R&D Engineering Support

Train RD staff in Product

Security Awareness

Security Lab Activities

Duplication, Resolution of

Vulnerabilities



The Problem

• Public disclosure of security information

inspires vendors to be truthful about flaws,

repair vulnerabilities and build more secure

products.

• Disclosure and peer review advances the state

of the art in security.

• Researchers can figure out where new

technologies need to be developed

• Information can help policymakers understand

where problems tend to occur.

One of the most contentious debates in the ICS security field involves the

publication of security vulnerabilities.

• Vulnerability information can give attackers the

information they need to exploit a security hole

in a system and cause harm.

• Release of proof-of-concept code allows

“script-kiddies” launch attacks without

knowledge of consequences.

• End-users and Owner/Operators in many

cases cannot shut down operations to apply

patches, so would be vulnerable to attack.

• ICS vendor design and test cycle is lengthy.



ICS Owner/Operator “Window of Exposure”

Discovery Disclosure Exploit

Window of

Exposure

Patch

Available

Window of Exposure (Organization)

Patch

Applied

Source: https://www.honeywellprocess.com/library/news-and-events/presentations/HUGAP-IndustrialCyberSecurity.pdf



Siemens Disclosure Policy

Siemens discloses product security vulnerabilities that have been adequately fixed within our

products and solutions through security advisories containing detailed information about the issues.

Report Analysis Handling Disclosure



Siemens Security Advisories

August 14th, 2014

Update for Simatic S7-1500

Siemens provides firmware version Simatic S7-1500 V1.6 which fixes one vulnerability.

The update is recommended to all users.

We thank Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) for his

information.

---------------------------------------------------------------------------

July 23rd, 2014

Update for Simatic WinCC

Siemens provides product release Simatic WinCC V7.3 which fixes several vulnerabilities.

We thank Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies

for their information



• “With public disclosure, you widen the circle of critical and innovative eyes, and a third party might be able to mitigate

where the vendor cannot”

• “The industrial sector should realize that security researchers are not against vendors.”

• “Security researchers are donating significant time and expertise that would otherwise cost vendors thousands of dollars.”

• “Good disclosure programs have: Respect, Optional Anonymity, Legal Impunity, Security, Responsiveness, and

Openness.”

• “ICS vendors should work with independent security researchers to promote responsible disclosure.”

Thoughts from Researchers



Uncoordinated Disclosure

Potential for Problems



Who is ICS CERT?

Part of the Department of Homeland Security

Respond to and analyze control systems related incidents

Conduct vulnerability and malware analysis

Provide situational awareness in the form of actionable

intelligence

Coordinate the responsible disclosure of

vulnerabilities/mitigations

Share and coordinate vulnerability information and threat

analysis through informational products and alerts

http://www.us-cert.gov/control_systems/ics-cert/

ICS CERT - Industrial Control Systems Cyber Emergency Response Team

ICS-CERT Advisories

Advisories provide timely information about current security issues, vulnerabilities, and

exploits.

Advisories by Vendor

•ICSA-14-269-01 : Bash Command Injection Vulnerability

•ICSA-14-261-01 : Advantech WebAccess Vulnerabilities

•ICSA-14-260-01 : Yokogawa CENTUM and Exaopc Vulnerability

•ICSA-14-259-01 : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities

•ICSA-14-254-01 : Schneider Electric VAMPSET Buffer Overflow

•ICSA-14-224-01 : Ecava Integraxor SCADA Server Vulnerabilities

•ICSA-14-247-01 : Sensys Networks Traffic Sensor Vulnerabilities

•ICSA-14-238-01 : CG Automation Improper Input Validation

•ICSA-14-238-02 : Schneider Electric Wonderware Vulnerabilities

•ICSA-14-198-03C : Siemens OpenSSL Vulnerabilities (Update C)

•ICSA-14-226-01 : Siemens SIMATIC S7-1500 CPU Denial of Service

•ICSA-14-196-01 : SubSTATION Server Telegyr 8979 Master Vulnerabilities

https://ics-cert.us-cert.gov/advisories-by-vendor



https://ics-cert.us-cert.gov/advisories/ICSA-14-269-01



























https://ics-cert.us-cert.gov/advisories/ICSA-14-198-03C















ICS-CERT Responsible Disclosure

1. ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor.

a. Type and schedule of disclosure will be determined based on the factors involved.

2. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise

requested by the reporter.

a. ICS-CERT will advise the reporter of significant changes in the status of any vulnerability reported to the extent

possible without revealing information provided in confidence by the vendor.

b. Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated

with affected vendors as required.

3. UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for

remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of

the existence or availability of patches or workarounds from affected vendors.

4. Goal: Balance the need of the control system community to be informed of security vulnerabilities with the vendors'

need for time to respond effectively.

a. The final determination of the type and schedule of publication will be based on the best interests of the

community overall.



ICS-CERT Sample Advisory Contents

Advisory (ICSA-14-205-02)

Siemens SIMATIC WinCC Vulnerabilities

Original release date: July 24, 2014

• OVERVIEW

• AFFECTED PRODUCTS

• IMPACT

• BACKGROUND

• VULNERABILITY DETAILS

• EXPLOITABILITY

• EXISTENCE OF EXPLOIT

• DIFFICULTY

• MITIGATION



Coordinated vs UnCoordinated Disclosure



ICS-CERT

Security Incident Occurs

Siemens

CERT

Incident Response Flow Chart - How are patches, CERT Alerts, TAs, and Customer

Facing Information Created?

Hotline

Incidents are generally reported to

one of these organizations

Initial Review and Classification

as Security Incident

Siemens CERT, System

Test, RD, CS 1, Regional

Security Hub are typically

involved in this step

Form Response Team

Develop Transparent Explanation of Problem

Propose Solutions to AS Management

Coordinate Approved Solutions

Response team formed based upon

technical nature of event. Typically

includes Head of Security Hub,

Region Security Hub Lead, Siemens

CERT, RD Manager, System Test

Manager, Hotline, HQ Media

Relations, and other technical experts

as required

A

A

RQ’s Generated

Bug Fixes

System Test

- Siemens

- CERT

- Researcher

Patch Available

The Transparent Explanation of the

Problem is the source for several other

important deliverables

ICS-CERT

Advised

ICS-CERT

Alert

(Private Portal)

TA Issued

ICS-CERT

Alert

(Public Portal)

R&D Siemens CERT

S&S Web

Posting

Holding

Statement

S&S Web

Posting (update)

HQ AS Mkt / PM / MR

Create Region

Media Message - Issue Statements

-- Respond to Press

-- Twitter

Create Region

Mkt. Message - Customer Letters

-- Presentations

-- Customer Spokespersons

Region MR

Region Mkt.



Personal Introduction

Thank You! – Muito Obrigado!

Questions?



Harry Brian

Product and Solution Security

Siemens Industry, Inc

One Internet Plaza

Johnson City, TN 37604

Phone: +1 (423) 262-2292

E-mail: [email protected]

Contact page

Answers for industry.

[CLASS 2014] Palestra Técnica - Alexandre Euclides

Technology

Transcript of [CLASS 2014] Palestra Técnica - Alexandre Euclides