Más contenido relacionado
La actualidad más candente (20)
Similar a [CLASS 2014] Palestra Técnica - Alexandre Euclides (20)
[CLASS 2014] Palestra Técnica - Alexandre Euclides
- 1. © Siemens Industry, Inc. 2014 All rights reserved. Answers for industry.
Constructive Tension:
The Vendor/Researcher Relationship
CLASS 2014 - 1st SCADA Security Conference LATAM
- 2. © Siemens Industry, Inc. 2014 All rights reserved.
Page 2 2014-Nov-05 H. Brian/ I DF RD SEC
• Introduction
• Background of Siemens Industrial Security
• Goals of ICS Vulnerability Disclosure
• Siemens Disclosure Policy
• Other Vendors Disclosure Policies
• Researchers Disclosure Policies
• Areas of Agreement
• Ideas for Improved Cooperation
• Conclusions
• Q&A
Agenda
- 3. © Siemens Industry, Inc. 2014 All rights reserved.
Page 3 2014-Nov-05 H. Brian/ I DF RD SEC
Personal Introduction
Who Am I?
Harry Brian
Siemens Industry Digital Factory, R&D
Responsible for Product and Solutions Security, North America
PLC, HMI, Drives
Previously:
Product and Project Management, System Test
Founder and general partner of Paragon Control Systems
B.S. Computer Science - North Carolina State University
Several SANS certifications
- 4. © Siemens Industry, Inc. 2014 All rights reserved.
Page 4 2014-Nov-05 H. Brian/ I DF RD SEC
Product Security Responsibilities
Digital Factory
PLC
Drives
HMI
Networking
SCADA
- 5. © Siemens Industry, Inc. 2014 All rights reserved.
Page 5 2014-Nov-05 H. Brian/ I DF RD SEC
Johnson City, TN USA Product Development
S7-200
WinAC
PLCSim
S7-1200
- 6. © Siemens Industry, Inc. 2014 All rights reserved.
Page 6 2014-Nov-05 H. Brian/ I DF RD SEC
Industry Security Network
Product and
Solution
Security
Office
Security
System
Architecture Research &
Development
CS Value
Services
System Test
Customer
Support
Consulting,
System
functions
Interface to
Office-IT
Security Lab
International
Hubs
Process
Improvement
Secure PC /
HMI
Hardware
Integrity
Security
Requirements
Security
Marketing
& Comm
Standards,
Regulations,
internal
Assessment
Central Office – HQ Nuremburg
Security Experts from all organizations
Full-time and Part-time Security
Product and Process Experts
Close to customer Requirements
- 7. © Siemens Industry, Inc. 2014 All rights reserved.
Page 7 2014-Nov-05 H. Brian/ I DF RD SEC
Singapore
Brazil
Russia
China
France
India
North America
UK
HQ
Siemens Regional Security Hubs
Monitor the Regional
Security Environment
Respond to reports of
SIMATIC Security Incidents
Interface to External Security
Researchers
Interface to Regional CERT
Coordinate / Resolve
customer questions
R&D Engineering Support
Train RD staff in Product
Security Awareness
Security Lab Activities
Duplication, Resolution of
Vulnerabilities
- 8. © Siemens Industry, Inc. 2014 All rights reserved.
Page 8 2014-Nov-05 H. Brian/ I DF RD SEC
The Problem
• Public disclosure of security information
inspires vendors to be truthful about flaws,
repair vulnerabilities and build more secure
products.
• Disclosure and peer review advances the state
of the art in security.
• Researchers can figure out where new
technologies need to be developed
• Information can help policymakers understand
where problems tend to occur.
One of the most contentious debates in the ICS security field involves the
publication of security vulnerabilities.
• Vulnerability information can give attackers the
information they need to exploit a security hole
in a system and cause harm.
• Release of proof-of-concept code allows
“script-kiddies” launch attacks without
knowledge of consequences.
• End-users and Owner/Operators in many
cases cannot shut down operations to apply
patches, so would be vulnerable to attack.
• ICS vendor design and test cycle is lengthy.
- 9. © Siemens Industry, Inc. 2014 All rights reserved.
Page 9 2014-Nov-05 H. Brian/ I DF RD SEC
ICS Owner/Operator “Window of Exposure”
Discovery Exploit Disclosure
Window of
Exposure
Patch
Available
Window of Exposure (Organization)
Patch
Applied
Source: https://www.honeywellprocess.com/library/news-and-events/presentations/HUGAP-IndustrialCyberSecurity.pdf
- 10. © Siemens Industry, Inc. 2014 All rights reserved.
Page 10 2014-Nov-05 H. Brian/ I DF RD SEC
Siemens Disclosure Policy
Siemens discloses product security vulnerabilities that have been adequately fixed within our
products and solutions through security advisories containing detailed information about the issues.
Report Analysis Handling Disclosure
- 11. © Siemens Industry, Inc. 2014 All rights reserved.
Page 11 2014-Nov-05 H. Brian/ I DF RD SEC
Siemens Security Advisories
August 14th, 2014
Update for Simatic S7-1500
Siemens provides firmware version Simatic S7-1500 V1.6 which fixes one vulnerability.
The update is recommended to all users.
We thank Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) for his
information.
---------------------------------------------------------------------------
July 23rd, 2014
Update for Simatic WinCC
Siemens provides product release Simatic WinCC V7.3 which fixes several vulnerabilities.
We thank Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies
for their information
- 12. © Siemens Industry, Inc. 2014 All rights reserved.
Page 12 2014-Nov-05 H. Brian/ I DF RD SEC
• “With public disclosure, you widen the circle of critical and innovative eyes, and a third party might be able to mitigate
where the vendor cannot”
• “The industrial sector should realize that security researchers are not against vendors.”
• “Security researchers are donating significant time and expertise that would otherwise cost vendors thousands of dollars.”
• “Good disclosure programs have: Respect, Optional Anonymity, Legal Impunity, Security, Responsiveness, and
Openness.”
• “ICS vendors should work with independent security researchers to promote responsible disclosure.”
Thoughts from Researchers
- 13. © Siemens Industry, Inc. 2014 All rights reserved.
Page 13 2014-Nov-05 H. Brian/ I DF RD SEC
Uncoordinated Disclosure
Potential for Problems
- 14. © Siemens Industry, Inc. 2014 All rights reserved.
Page 14 2014-Nov-05 H. Brian/ I DF RD SEC
Who is ICS CERT?
Part of the Department of Homeland Security
Respond to and analyze control systems related incidents
Conduct vulnerability and malware analysis
Provide situational awareness in the form of actionable
intelligence
Coordinate the responsible disclosure of
vulnerabilities/mitigations
Share and coordinate vulnerability information and threat
analysis through informational products and alerts
http://www.us-cert.gov/control_systems/ics-cert/
ICS CERT - Industrial Control Systems Cyber Emergency Response Team
ICS-CERT Advisories
Advisories provide timely information about current security issues, vulnerabilities, and
exploits.
Advisories by Vendor
•ICSA-14-269-01 : Bash Command Injection Vulnerability
•ICSA-14-261-01 : Advantech WebAccess Vulnerabilities
•ICSA-14-260-01 : Yokogawa CENTUM and Exaopc Vulnerability
•ICSA-14-259-01 : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities
•ICSA-14-254-01 : Schneider Electric VAMPSET Buffer Overflow
•ICSA-14-224-01 : Ecava Integraxor SCADA Server Vulnerabilities
•ICSA-14-247-01 : Sensys Networks Traffic Sensor Vulnerabilities
•ICSA-14-238-01 : CG Automation Improper Input Validation
•ICSA-14-238-02 : Schneider Electric Wonderware Vulnerabilities
•ICSA-14-198-03C : Siemens OpenSSL Vulnerabilities (Update C)
•ICSA-14-226-01 : Siemens SIMATIC S7-1500 CPU Denial of Service
•ICSA-14-196-01 : SubSTATION Server Telegyr 8979 Master Vulnerabilities
- 15. © Siemens Industry, Inc. 2014 All rights reserved.
Page 15 2014-Nov-05 H. Brian/ I DF RD SEC
ICS-CERT Responsible Disclosure
1. ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor.
a. Type and schedule of disclosure will be determined based on the factors involved.
2. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise
requested by the reporter.
a. ICS-CERT will advise the reporter of significant changes in the status of any vulnerability reported to the extent
possible without revealing information provided in confidence by the vendor.
b. Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated
with affected vendors as required.
3. UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for
remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of
the existence or availability of patches or workarounds from affected vendors.
4. Goal: Balance the need of the control system community to be informed of security vulnerabilities with the vendors'
need for time to respond effectively.
a. The final determination of the type and schedule of publication will be based on the best interests of the
community overall.
- 16. © Siemens Industry, Inc. 2014 All rights reserved.
Page 16 2014-Nov-05 H. Brian/ I DF RD SEC
ICS-CERT Sample Advisory Contents
Advisory (ICSA-14-205-02)
Siemens SIMATIC WinCC Vulnerabilities
Original release date: July 24, 2014
• OVERVIEW
• AFFECTED PRODUCTS
• IMPACT
• BACKGROUND
• VULNERABILITY DETAILS
• EXPLOITABILITY
• EXISTENCE OF EXPLOIT
• DIFFICULTY
• MITIGATION
- 17. © Siemens Industry, Inc. 2014 All rights reserved.
Page 17 2014-Nov-05 H. Brian/ I DF RD SEC
Coordinated vs UnCoordinated Disclosure
- 18. © Siemens Industry, Inc. 2014 All rights reserved.
Page 18 2014-Nov-05 H. Brian/ I DF RD SEC
ICS-CERT
Security Incident Occurs
Siemens
CERT
Incident Response Flow Chart
- How are patches, CERT Alerts, TAs, and Customer
Facing Information Created?
Hotline
Incidents are generally reported to
one of these organizations
Initial Review and Classification
as Security Incident
Siemens CERT, System
Test, RD, CS 1, Regional
Security Hub are typically
involved in this step
Form Response Team
Develop Transparent Explanation of Problem
Propose Solutions to AS Management
Coordinate Approved Solutions
Response team formed based upon
technical nature of event. Typically
includes Head of Security Hub,
Region Security Hub Lead, Siemens
CERT, RD Manager, System Test
Manager, Hotline, HQ Media
Relations, and other technical experts
as required
A
A
RQ’s Generated
Bug Fixes
System Test
- Siemens
- CERT
- Researcher
Patch Available
The Transparent Explanation of the
Problem is the source for several other
important deliverables
ICS-CERT
Advised
ICS-CERT
Alert
(Private Portal)
TA Issued
ICS-CERT
Alert
(Public Portal)
R&D Siemens CERT
S&S Web
Posting
Holding
Statement
S&S Web
Posting
(update)
HQ AS Mkt / PM / MR
Create Region
Media Message
- Issue Statements
-- Respond to Press
-- Twitter
Create Region
Mkt. Message
- Customer Letters
-- Presentations
-- Customer Spokespersons
Region MR
Region Mkt.
- 19. © Siemens Industry, Inc. 2014 All rights reserved.
Page 19 2014-Nov-05 H. Brian/ I DF RD SEC
Personal Introduction
Thank You! – Muito Obrigado!
Questions?
- 20. © Siemens Industry, Inc. 2014 All rights reserved.
Page 20 2014-Nov-05 H. Brian/ I DF RD SEC
Harry Brian
Product and Solution Security
Siemens Industry, Inc
One Internet Plaza
Johnson City, TN 37604
Phone: +1 (423) 262-2292
E-mail: harry.brian@siemens.com
Contact page
Answers for industry.