The Claroty Blog

Highlights from S4X18 in Miami

| Patrick McBride

The 11th Annual S4x18 conference is in the books!  It was cooler in Miami than we all had hoped for, but Dale Peterson, Liz Daley and the S4 presenters had some hot content to share with their peers in the ICS community. There were far too many cool things happening at S4 to cover them all – great content, thoughtful discussions, lively debates on and off the stage and comradery for a boat load of people with a shared mission–protecting the critical control systems we rely on every day.

Dale’s keynote and his “try it” challenge set the tone.  He asked an auditorium full of ICS veterans–some more jaded than others–to believe, at least for 4 days in South Beach, that we could make real and sustained improvements in ICS cybersecurity. And, if possible, keep that newfound spring in our step with us after the show.  Mission accomplished!  We’re in!

A few highlights from Claroty’s perspective include:

Schneider Electric Takes the High Road with Triton 

Quite likely the most long-term impactful revelation was Schneider Electric (SE) sharing details of the Triton malware used to attack a Triconex safety system. SE decided to deal with this attack head-on and to discuss details publically.  Claroty and the rest of the industry loudly applauded their forthcoming approach. Other industrial vendors will have to contend with attacks on their systems and we trust that Schneider Electric’s example will provide a roadmap for these unfortunate but likely events moving forward – kudos to the SE team!!

Paul Forney and Andrew Kling from Schneider Electric shared the results of their malware analysis work–their teams have been working around the clock for months, tearing apart the malware and understanding exactly how it works so they can protect customers.  In addition to sharing details about how the malware works on stage, the two announced that SE had developed a tool customers can use to detect the presence of Triton.

Paul and Andy gave Claroty a nice shout out, with Paul noting “Claroty has an impressive ability to detect Triton Triconex malware on the wire.” Claroty’s Threat Detection recognized the Triton-based attack out of the box, issuing a high-priority suspicious configuration download alert. 

Paul also noted jokingly, that Claroty was “bugging them every day” with our findings. We have had a Triconex system on our lab since early 2017 and supported the protocol in our platform since May. The Claroty Research team shared our malware analysis and lab test findings directly with the Schneider team through the ongoing event.

The Triton episode was not without its issues. For example, some security vendors jumped the gun with less-than-well-coordinated public releases, so there are some “lessons-learned” that should be discussed before the next attack. Stay tuned.

 

Drive By Shootings – PCAP Style

Where else but S4 can you have a super-technical drive-by shooting?  We love it!  At S4x17 we had a lively discussion/debate with Joel Langill (A.K.A. SCADAHacker) about the intricacies of analyzing and baselining various complex protocols.  During the S4x18 Cabana Sessions Joel dropped by for a “spot challenge”–dropping a PCAP with traffic from the notoriously tricky Honeywell DCS systems on the Claroty Team.  We were up to Joel’s challenge and in a few minutes our Claroty Continuous Threat Detection system was ingesting the data and detailing the system.

 scr2.png

 

CTF – Claroty Team Takes 2nd Place in Their Spare Time

In their not-so-copious spare time away from the ICS Detection Challenge, some of our Research Team worked the S4 Capture the Flag (CTF) competition.  They just can’t get enough!  We teamed up with Mike Garcia a cybersecurity expert from the energy sector–adding additional firepower to our team and took second place in the competition!

 

scr3.png

 

If you weren’t already familiar with Digital Bond’s annual S4 ICS security conference, this should give you a bit of the flavor. Companies with serious interest in the current best practices and forward-leaning examples from companies on the journey should consider sending their teams responsible for ICS security to S4x19.

Subscribe to the Blog