SANS SCADA Summit at Orlando - Bigger problems and so far from getting them solved

Published: 2013-02-20
Last Updated: 2013-02-20 21:50:05 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

7 days ago finished the eight version of the SANS SCADA Summit at Orlando. Conferences were really great and it was a great opportunity to see that I am not the only CISO that is having trouble developing and implementing an information security program to the ICS world of the company. The most important conclusions obtained back there are:

  • Operators and professionals from the industrial world does only care about the process: they want it efficient, reliable, available all the time and simple. When we, the security people, try to implement some control measures to avoid risks from being materialized, we need to preservate all those attributes to the process. Let's keep in mind that if we cannot improve the ICS process with our controls, the business won't let us do anything and they prefer to suffer the risk materializing than let us try to avoid them.
  • Compliance is a consequence of implementing a good security program. Choose a good framework to implement and begin working. Examples of such frameworks are:
    • NERC CIP
    • ISA (Industrial Automation and Control Systems Security) 99 IEC 62443
    • 20 Critical security controls
    • NIST GUIDE to SCADA and Control Security
    • CFATS (Chemical Facility anti terrorism standards)
  • As you definitely need to avoid increasing the complexity on the SCADA System operation, you cannot allow irregular acess to your operators to resources outside the Industrial Control System (ICS) network. That means not allowing to read e-mail and not accessing the Internet from the same computer where a Human to Machine Interface (HMI) is installed. They can always use other computers that have access to the IT world.
  • As I stated, the ICS guys only cares about their process and tent to disregard anything that might cause problems or make them feel they are doing their work in a slow way. Therefore, a strong awareness campain is needed pointing to strong motivations like cyberterrorism and materialized risks to the SCADA and ICS systems.
  • Firewalls are good but not enough to protect risks from SCADA and ICS systems. You need to add other controls like SCADA application whitelisting, Host Intrusion Prevention Systems, Network Intrusion Prevention Systems and patch management.
  • Patch unpatched vulnerabilities of your SCADA and ICS systems. If fore some reason the product cannot be patched, take any other approach to lower the risk to the minimum possible value.
  • Include the ICS environment to your information security risk matrix. You need to start including it inside your controls. Otherwise, information security risks will become unmanageable to your SCADA/ICS.

SCADA/ICS systems manages critical infrastructure and could be a target addressed by any irregular and ilegal group. For all us who work to companies where SCADA/ICS systems are vital to business, it will become the most important information asset to protect, as it could be used to destroy all the assets used to ensure company's future money.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org 

2 comment(s)

Update Palooza

Published: 2013-02-20
Last Updated: 2013-02-20 21:37:41 UTC
by Johannes Ullrich (Version: 2)
7 comment(s)


Adobe Acrobat Reader 11.0.02 was published today as a fix for CVE-2013-0640 and CVE-2013-0641. More information at

Wireshark 1.9.0 was published today. It's an experimental release for testing new features for the upcoming 1.10 version.


More updates arrived:

  • Thunderbird 17.03 arrived yesterday. It fixes 8 security vulnerabilities.
  • Apple released yesterday iOS 6.1.2, which can be downloaded fast as it is small (12.8 MB). So far, this update seems to be only related with a bug on echange calendars that increases network utilization causing battery drain. Better to have last version installed as apple does not always list in a detailed way all the fixes contained in an operating system update.

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
e-mail: msantand at isc dot sans dot org


If you are easily confused like me, you may appreciate this quick summary as to the different updates released the last couple of days:

Oracle Java:

  • Java 7 Update 15
  • Java 6 Update  41


Firefox 19


(in addition to Apple's Java update to the versions shown above)



  • Flash Player Windows 7 and earlier 11.6.602.168 (Windows 8 and OS X is still use 167)
  • Acrobat/Reader 11.0.02 (went live on Adobe's FTP server Wed. 20th morning)

Probably the most dangerous thing you can do when applying patches is to rush. You may not only end up with a broken system, but worse, the patch may not be applied correctly. Take the time to test that you are all up to date. Encourage your coworkers and relatives to visit to test if all plugins are installed correctly.

(we may update this diary for a day or two)

Johannes B. Ullrich, Ph.D.
SANS Technology Institute


7 comment(s)
ISC StormCast for Wednesday, February 20th 2013


Diary Archives