The 11th Annual S4x18 conference is in the books! It was cooler in Miami than we all had hoped for, but Dale Peterson, Liz Daley and the S4 presenters had some hot content to share with their peers in the ICS community. There were far too many cool things happening at S4 to cover them all – great content, thoughtful discussions, lively debates on and off the stage and comradery for a boat load of people with a shared mission–protecting the critical control systems we rely on every day.
Dale’s keynote and his “try it” challenge set the tone. He asked an auditorium full of ICS veterans–some more jaded than others–to believe, at least for 4 days in South Beach, that we could make real and sustained improvements in ICS cybersecurity. And, if possible, keep that newfound spring in our step with us after the show. Mission accomplished! We’re in!
A few highlights from Claroty’s perspective include:
- ICS Threat Detection Challenge – Claroty Wins!
- Schneider Takes the High Road with Triton
- Drive By Shootings – PCAP Style
- CTF – Claroty Team Takes 2nd Place in Their Spare Time
In the same diligent way Dale held control system vendors to account for security design flaws a “few” years back, he has been trying to help asset owners sort out ICS threat detection technologies and vendor claims. It took Dale, ICSSecure and aeSolutions teams months of hard work to prepare the contest and we, and the rest of the industry, really appreciate their efforts! When you are willing to provide “non billable” hours to make it happen, you are in it for the mission! Thank you, Dale Peterson, Eric Byres, John Cusimano, Ron Brash and everyone else that chipped in - you are helping raise the bar!
We applaud all the competitors who decided to enter the fray. Deciding to jump into a first-ever competition of this sort was a hard decision for all of us and we challenge the other vendors join in next year – hopefully there will be a next year!
The challenge was split into two parts–Identification and Detection.
On Tuesday, contestants consumed PCAPs taken from fifteen different sites at a West Coast oil and gas company. The contestants were asked to use their products to identify assets on the network and provide a view of how the assets were communicating. This was a blind challenge–none of the vendors knew anything about the network other than the fact that it was from an O/G pipeline company. Contestants were rewarded for discovering assets, identifying specific details about them and were given bonus points for unique insights. Scoring was designed to test the products themselves, rather than the teams, with more points awarded for quick answers. Claroty won the day.
It was a difficult challenge since the PCAPs were taken from fifteen segments and only included one hour of network traffic. Claroty Continuous Threat Detection performed very well. But we also made a few tactical errors that held our day 1 score down. For example, we didn’t submit some of the assets we discovered for scoring–we initially classified them as “ghost assets” and we err on the side of accuracy.
On Thursday, for part two, contestants received a live stream of network data. Ron Brash noted that it “was it was a ruthless and fast paced attack; all within 52 minutes.” The data included various known malware including known ICS threats (e.g., Havex and Stuxnet)
port scans (fast and slow), policy violations (e.g., plaintext passwords), logic changes and firmware, etc. This is where the rubber meets the road. The ability to detect attacks on ICS networks that can impact industrial processes and pre-cursor activity, early in the “cyber kill chain” that can signpost an impending attack. Again, our Continuous Threat Detection product performed outstandingly and Claroty won the day.
During the award ceremony judges Eric Byres, John Cusimano, Ron Brash discussed the challenge with the Claroty Research team (Amir “Jumbo” Preminger, Tal Keren and Nadav Erez). The judges noted just how difficult it was for the contestants–with Eric Byres remarking that the contest was “much harder than the real world because of the limited time sample, lack of context and the use of only one sensor”. In a nod to Claroty and the overall threat detection category, Byres also noted that he was “pleasantly surprised just how well all the products performed”. We were not surprised–visibility and threat detection for ICS is definitely ready for prime time–and we look forward to competing next year!
Quite likely the most long-term impactful revelation was Schneider Electric (SE) sharing details of the Triton malware used to attack a Triconex safety system. SE decided to deal with this attack head-on and to discuss details publically. Claroty and the rest of the industry loudly applauded their forthcoming approach. Other industrial vendors will have to contend with attacks on their systems and we trust that Schneider Electric’s example will provide a roadmap for these unfortunate but likely events moving forward – kudos to the SE team!!
Paul Forney and Andrew Kling from Schneider Electric shared the results of their malware analysis work–their teams have been working around the clock for months, tearing apart the malware and understanding exactly how it works so they can protect customers. In addition to sharing details about how the malware works on stage, the two announced that SE had developed a tool customers can use to detect the presence of Triton.
Paul and Andy gave Claroty a nice shout out, with Paul noting “Claroty has an impressive ability to detect Triton Triconex malware on the wire.” Claroty’s Threat Detection recognized the Triton-based attack out of the box, issuing a high-priority suspicious configuration download alert.
Paul also noted jokingly, that Claroty was “bugging them every day” with our findings. We have had a Triconex system on our lab since early 2017 and supported the protocol in our platform since May. The Claroty Research team shared our malware analysis and lab test findings directly with the Schneider team through the ongoing event.
The Triton episode was not without its issues. For example, some security vendors jumped the gun with less-than-well-coordinated public releases, so there are some “lessons-learned” that should be discussed before the next attack. Stay tuned.
Where else but S4 can you have a super-technical drive-by shooting? We love it! At S4x17 we had a lively discussion/debate with Joel Langill (A.K.A. SCADAHacker) about the intricacies of analyzing and baselining various complex protocols. During the S4x18 Cabana Sessions Joel dropped by for a “spot challenge”–dropping a PCAP with traffic from the notoriously tricky Honeywell DCS systems on the Claroty Team. We were up to Joel’s challenge and in a few minutes our Claroty Continuous Threat Detection system was ingesting the data and detailing the system.
In their not-so-copious spare time away from the ICS Detection Challenge, some of our Research Team worked the S4 Capture the Flag (CTF) competition. They just can’t get enough! We teamed up with Mike Garcia a cybersecurity expert from the energy sector–adding additional firepower to our team and took second place in the competition!
If you weren’t already familiar with Digital Bond’s annual S4 ICS security conference, this should give you a bit of the flavor. Companies with serious interest in the current best practices and forward-leaning examples from companies on the journey should consider sending their teams responsible for ICS security to S4x19.