SlideShare una empresa de Scribd logo
1 de 20
Descargar para leer sin conexión
© Siemens Industry, Inc. 2014 All rights reserved. Answers for industry. 
Constructive Tension: 
The Vendor/Researcher Relationship 
CLASS 2014 - 1st SCADA Security Conference LATAM
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 2 2014-Nov-05 H. Brian/ I DF RD SEC 
• Introduction 
• Background of Siemens Industrial Security 
• Goals of ICS Vulnerability Disclosure 
• Siemens Disclosure Policy 
• Other Vendors Disclosure Policies 
• Researchers Disclosure Policies 
• Areas of Agreement 
• Ideas for Improved Cooperation 
• Conclusions 
• Q&A 
Agenda
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 3 2014-Nov-05 H. Brian/ I DF RD SEC 
Personal Introduction 
Who Am I? 
Harry Brian 
Siemens Industry Digital Factory, R&D 
Responsible for Product and Solutions Security, North America 
PLC, HMI, Drives 
Previously: 
Product and Project Management, System Test 
Founder and general partner of Paragon Control Systems 
B.S. Computer Science - North Carolina State University 
Several SANS certifications
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 4 2014-Nov-05 H. Brian/ I DF RD SEC 
Product Security Responsibilities 
Digital Factory 
PLC 
Drives 
HMI 
Networking 
SCADA
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 5 2014-Nov-05 H. Brian/ I DF RD SEC 
Johnson City, TN USA Product Development 
S7-200 
WinAC 
PLCSim 
S7-1200
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 6 2014-Nov-05 H. Brian/ I DF RD SEC 
Industry Security Network 
Product and 
Solution 
Security 
Office 
Security 
System 
Architecture Research & 
Development 
CS Value 
Services 
System Test 
Customer 
Support 
Consulting, 
System 
functions 
Interface to 
Office-IT 
Security Lab 
International 
Hubs 
Process 
Improvement 
Secure PC / 
HMI 
Hardware 
Integrity 
Security 
Requirements 
Security 
Marketing 
& Comm 
Standards, 
Regulations, 
internal 
Assessment 
 Central Office – HQ Nuremburg 
 Security Experts from all organizations 
 Full-time and Part-time Security 
 Product and Process Experts 
 Close to customer Requirements
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 7 2014-Nov-05 H. Brian/ I DF RD SEC 
Singapore 
Brazil 
Russia 
China 
France 
India 
North America 
UK 
HQ 
Siemens Regional Security Hubs 
 Monitor the Regional 
Security Environment 
 Respond to reports of 
SIMATIC Security Incidents 
 Interface to External Security 
Researchers 
 Interface to Regional CERT 
 Coordinate / Resolve 
customer questions 
R&D Engineering Support 
 Train RD staff in Product 
Security Awareness 
 Security Lab Activities 
 Duplication, Resolution of 
Vulnerabilities
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 8 2014-Nov-05 H. Brian/ I DF RD SEC 
The Problem 
• Public disclosure of security information 
inspires vendors to be truthful about flaws, 
repair vulnerabilities and build more secure 
products. 
• Disclosure and peer review advances the state 
of the art in security. 
• Researchers can figure out where new 
technologies need to be developed 
• Information can help policymakers understand 
where problems tend to occur. 
One of the most contentious debates in the ICS security field involves the 
publication of security vulnerabilities. 
• Vulnerability information can give attackers the 
information they need to exploit a security hole 
in a system and cause harm. 
• Release of proof-of-concept code allows 
“script-kiddies” launch attacks without 
knowledge of consequences. 
• End-users and Owner/Operators in many 
cases cannot shut down operations to apply 
patches, so would be vulnerable to attack. 
• ICS vendor design and test cycle is lengthy.
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 9 2014-Nov-05 H. Brian/ I DF RD SEC 
ICS Owner/Operator “Window of Exposure” 
Discovery Exploit Disclosure 
Window of 
Exposure 
Patch 
Available 
Window of Exposure (Organization) 
Patch 
Applied 
Source: https://www.honeywellprocess.com/library/news-and-events/presentations/HUGAP-IndustrialCyberSecurity.pdf
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 10 2014-Nov-05 H. Brian/ I DF RD SEC 
Siemens Disclosure Policy 
Siemens discloses product security vulnerabilities that have been adequately fixed within our 
products and solutions through security advisories containing detailed information about the issues. 
Report Analysis Handling Disclosure
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 11 2014-Nov-05 H. Brian/ I DF RD SEC 
Siemens Security Advisories 
August 14th, 2014 
Update for Simatic S7-1500 
Siemens provides firmware version Simatic S7-1500 V1.6 which fixes one vulnerability. 
The update is recommended to all users. 
We thank Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) for his 
information. 
--------------------------------------------------------------------------- 
July 23rd, 2014 
Update for Simatic WinCC 
Siemens provides product release Simatic WinCC V7.3 which fixes several vulnerabilities. 
We thank Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies 
for their information
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 12 2014-Nov-05 H. Brian/ I DF RD SEC 
• “With public disclosure, you widen the circle of critical and innovative eyes, and a third party might be able to mitigate 
where the vendor cannot” 
• “The industrial sector should realize that security researchers are not against vendors.” 
• “Security researchers are donating significant time and expertise that would otherwise cost vendors thousands of dollars.” 
• “Good disclosure programs have: Respect, Optional Anonymity, Legal Impunity, Security, Responsiveness, and 
Openness.” 
• “ICS vendors should work with independent security researchers to promote responsible disclosure.” 
Thoughts from Researchers
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 13 2014-Nov-05 H. Brian/ I DF RD SEC 
Uncoordinated Disclosure 
Potential for Problems
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 14 2014-Nov-05 H. Brian/ I DF RD SEC 
Who is ICS CERT? 
 Part of the Department of Homeland Security 
 Respond to and analyze control systems related incidents 
 Conduct vulnerability and malware analysis 
 Provide situational awareness in the form of actionable 
intelligence 
 Coordinate the responsible disclosure of 
vulnerabilities/mitigations 
 Share and coordinate vulnerability information and threat 
analysis through informational products and alerts 
http://www.us-cert.gov/control_systems/ics-cert/ 
ICS CERT - Industrial Control Systems Cyber Emergency Response Team 
ICS-CERT Advisories 
Advisories provide timely information about current security issues, vulnerabilities, and 
exploits. 
Advisories by Vendor 
•ICSA-14-269-01 : Bash Command Injection Vulnerability 
•ICSA-14-261-01 : Advantech WebAccess Vulnerabilities 
•ICSA-14-260-01 : Yokogawa CENTUM and Exaopc Vulnerability 
•ICSA-14-259-01 : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities 
•ICSA-14-254-01 : Schneider Electric VAMPSET Buffer Overflow 
•ICSA-14-224-01 : Ecava Integraxor SCADA Server Vulnerabilities 
•ICSA-14-247-01 : Sensys Networks Traffic Sensor Vulnerabilities 
•ICSA-14-238-01 : CG Automation Improper Input Validation 
•ICSA-14-238-02 : Schneider Electric Wonderware Vulnerabilities 
•ICSA-14-198-03C : Siemens OpenSSL Vulnerabilities (Update C) 
•ICSA-14-226-01 : Siemens SIMATIC S7-1500 CPU Denial of Service 
•ICSA-14-196-01 : SubSTATION Server Telegyr 8979 Master Vulnerabilities
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 15 2014-Nov-05 H. Brian/ I DF RD SEC 
ICS-CERT Responsible Disclosure 
1. ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor. 
a. Type and schedule of disclosure will be determined based on the factors involved. 
2. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise 
requested by the reporter. 
a. ICS-CERT will advise the reporter of significant changes in the status of any vulnerability reported to the extent 
possible without revealing information provided in confidence by the vendor. 
b. Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated 
with affected vendors as required. 
3. UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for 
remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of 
the existence or availability of patches or workarounds from affected vendors. 
4. Goal: Balance the need of the control system community to be informed of security vulnerabilities with the vendors' 
need for time to respond effectively. 
a. The final determination of the type and schedule of publication will be based on the best interests of the 
community overall.
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 16 2014-Nov-05 H. Brian/ I DF RD SEC 
ICS-CERT Sample Advisory Contents 
Advisory (ICSA-14-205-02) 
Siemens SIMATIC WinCC Vulnerabilities 
Original release date: July 24, 2014 
• OVERVIEW 
• AFFECTED PRODUCTS 
• IMPACT 
• BACKGROUND 
• VULNERABILITY DETAILS 
• EXPLOITABILITY 
• EXISTENCE OF EXPLOIT 
• DIFFICULTY 
• MITIGATION
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 17 2014-Nov-05 H. Brian/ I DF RD SEC 
Coordinated vs UnCoordinated Disclosure
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 18 2014-Nov-05 H. Brian/ I DF RD SEC 
ICS-CERT 
Security Incident Occurs 
Siemens 
CERT 
Incident Response Flow Chart 
- How are patches, CERT Alerts, TAs, and Customer 
Facing Information Created? 
Hotline 
Incidents are generally reported to 
one of these organizations 
Initial Review and Classification 
as Security Incident 
Siemens CERT, System 
Test, RD, CS 1, Regional 
Security Hub are typically 
involved in this step 
Form Response Team 
Develop Transparent Explanation of Problem 
Propose Solutions to AS Management 
Coordinate Approved Solutions 
Response team formed based upon 
technical nature of event. Typically 
includes Head of Security Hub, 
Region Security Hub Lead, Siemens 
CERT, RD Manager, System Test 
Manager, Hotline, HQ Media 
Relations, and other technical experts 
as required 
A 
A 
RQ’s Generated 
Bug Fixes 
System Test 
- Siemens 
- CERT 
- Researcher 
Patch Available 
The Transparent Explanation of the 
Problem is the source for several other 
important deliverables 
ICS-CERT 
Advised 
ICS-CERT 
Alert 
(Private Portal) 
TA Issued 
ICS-CERT 
Alert 
(Public Portal) 
R&D Siemens CERT 
S&S Web 
Posting 
Holding 
Statement 
S&S Web 
Posting 
(update) 
HQ AS Mkt / PM / MR 
Create Region 
Media Message 
- Issue Statements 
-- Respond to Press 
-- Twitter 
Create Region 
Mkt. Message 
- Customer Letters 
-- Presentations 
-- Customer Spokespersons 
Region MR 
Region Mkt.
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 19 2014-Nov-05 H. Brian/ I DF RD SEC 
Personal Introduction 
Thank You! – Muito Obrigado! 
Questions?
© Siemens Industry, Inc. 2014 All rights reserved. 
Page 20 2014-Nov-05 H. Brian/ I DF RD SEC 
Harry Brian 
Product and Solution Security 
Siemens Industry, Inc 
One Internet Plaza 
Johnson City, TN 37604 
Phone: +1 (423) 262-2292 
E-mail: harry.brian@siemens.com 
Contact page 
Answers for industry.

Más contenido relacionado

La actualidad más candente

Big Bear Package Details
Big Bear Package DetailsBig Bear Package Details
Big Bear Package Details
Charles_Scholz
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation
Living Online
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
rfragola
 

La actualidad más candente (20)

Better Do What They Told Ya
Better Do What They Told YaBetter Do What They Told Ya
Better Do What They Told Ya
 
MT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response PlanningMT 70 The New Era of Incident Response Planning
MT 70 The New Era of Incident Response Planning
 
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
Case Study: Running a DCS in a Highly Virtualized Environment, Chris Hughes o...
 
CompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE OutlineCompTIA CAS-002 VCE Outline
CompTIA CAS-002 VCE Outline
 
Security and Communication Systems Integration
Security and Communication Systems Integration Security and Communication Systems Integration
Security and Communication Systems Integration
 
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
MT 69 Tripwire Defense: Advanced Endpoint Detection by a Thousand Tripwires
 
Top Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for ApplicationsTop Strategies to Capture Security Intelligence for Applications
Top Strategies to Capture Security Intelligence for Applications
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Big Bear Package Details
Big Bear Package DetailsBig Bear Package Details
Big Bear Package Details
 
Vulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDCVulnerability Management In An Application Security World: AppSecDC
Vulnerability Management In An Application Security World: AppSecDC
 
Why Check Point - Top 4
Why Check Point - Top 4Why Check Point - Top 4
Why Check Point - Top 4
 
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
Process Whitelisting and Resource Access Control For ICS Computers, Kuniyasu ...
 
HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소HMI/SCADA 리스크 감소
HMI/SCADA 리스크 감소
 
Mind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_finalMind the gap_cpx2022_moti_sagey_final
Mind the gap_cpx2022_moti_sagey_final
 
Making Network Security Relevant
Making Network Security RelevantMaking Network Security Relevant
Making Network Security Relevant
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
NGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLANNGFW RFP TEMPLATE - TEST PLAN
NGFW RFP TEMPLATE - TEST PLAN
 
Safety Instrumentation
Safety Instrumentation Safety Instrumentation
Safety Instrumentation
 
Key Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales PresentationKey Resources - z/Assure Sales Presentation
Key Resources - z/Assure Sales Presentation
 

Destacado

Aweber vs get response
Aweber vs get responseAweber vs get response
Aweber vs get response
Jane Sheeba
 
Family Floater Health Guard Policy Wordings
Family Floater Health Guard Policy WordingsFamily Floater Health Guard Policy Wordings
Family Floater Health Guard Policy Wordings
Berkshire Insurance
 

Destacado (14)

[CLASS 2014] Palestra Técnica - Marcelo Branquinho e Jan Seidl
[CLASS 2014] Palestra Técnica - Marcelo Branquinho e Jan Seidl[CLASS 2014] Palestra Técnica - Marcelo Branquinho e Jan Seidl
[CLASS 2014] Palestra Técnica - Marcelo Branquinho e Jan Seidl
 
Palestra de Marcelo Branquinho no Congresso Rio Automação
Palestra de Marcelo Branquinho no Congresso Rio AutomaçãoPalestra de Marcelo Branquinho no Congresso Rio Automação
Palestra de Marcelo Branquinho no Congresso Rio Automação
 
Apresentação Técnica - Estratégias de Segurança para Redes Industriais e SCADA
Apresentação Técnica - Estratégias de Segurança para Redes Industriais e SCADAApresentação Técnica - Estratégias de Segurança para Redes Industriais e SCADA
Apresentação Técnica - Estratégias de Segurança para Redes Industriais e SCADA
 
Apresentação Técnica - Evento ISA Campinas
Apresentação Técnica - Evento ISA CampinasApresentação Técnica - Evento ISA Campinas
Apresentação Técnica - Evento ISA Campinas
 
Digital Forensics: The next 10 years
Digital Forensics: The next 10 yearsDigital Forensics: The next 10 years
Digital Forensics: The next 10 years
 
11U bio ani 04
11U bio ani 0411U bio ani 04
11U bio ani 04
 
Let's cleanup your website
Let's cleanup your websiteLet's cleanup your website
Let's cleanup your website
 
Тайская кухня - рецепты и интересная информация
Тайская кухня - рецепты и интересная информацияТайская кухня - рецепты и интересная информация
Тайская кухня - рецепты и интересная информация
 
Aweber vs get response
Aweber vs get responseAweber vs get response
Aweber vs get response
 
Lecture
LectureLecture
Lecture
 
Как приготовить суши
Как приготовить сушиКак приготовить суши
Как приготовить суши
 
11u bio 07
11u bio 0711u bio 07
11u bio 07
 
Lola by Anna Premiere
Lola by Anna PremiereLola by Anna Premiere
Lola by Anna Premiere
 
Family Floater Health Guard Policy Wordings
Family Floater Health Guard Policy WordingsFamily Floater Health Guard Policy Wordings
Family Floater Health Guard Policy Wordings
 

Similar a [CLASS 2014] Palestra Técnica - Alexandre Euclides

Gettozero stealth industrial
Gettozero stealth industrialGettozero stealth industrial
Gettozero stealth industrial
Sherid444
 

Similar a [CLASS 2014] Palestra Técnica - Alexandre Euclides (20)

Scalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto PresentationScalar Security Roadshow - Toronto Presentation
Scalar Security Roadshow - Toronto Presentation
 
[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr[CLASS 2014] Palestra Técnica - Oliver Narr
[CLASS 2014] Palestra Técnica - Oliver Narr
 
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
The Savvy Security Leader: Using Guerrilla Tactics to ID Security Program Res...
 
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace MaganhaCLASS 2016 - Palestra Vitor Eduardo Lace Maganha
CLASS 2016 - Palestra Vitor Eduardo Lace Maganha
 
Industry 4.0 and security
Industry 4.0 and securityIndustry 4.0 and security
Industry 4.0 and security
 
IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future IBM Relay 2015: Securing the Future
IBM Relay 2015: Securing the Future
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Gettozero stealth industrial
Gettozero stealth industrialGettozero stealth industrial
Gettozero stealth industrial
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
Active Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The FieldActive Directory in ICS: Lessons Learned From The Field
Active Directory in ICS: Lessons Learned From The Field
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Info sec for startups
Info sec for startupsInfo sec for startups
Info sec for startups
 
Cyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutionsCyber security: A roadmap to secure solutions
Cyber security: A roadmap to secure solutions
 
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
«Product Security Incident Response Team (PSIRT) - Изнутри Cisco PSIRT», Алек...
 
Web Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN TestingWeb Application Security: Beyond PEN Testing
Web Application Security: Beyond PEN Testing
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
CIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile WorldCIO Summit: Data Security in a Mobile World
CIO Summit: Data Security in a Mobile World
 
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
Industrial Cyber Security: What You Don't Know Might Hurt You (And Others...)
 
Securing Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and YouSecuring Your Digital Transformation: Cybersecurity and You
Securing Your Digital Transformation: Cybersecurity and You
 

Más de TI Safe

Más de TI Safe (20)

CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
CLASS 2022 - Luiz Fernando Roth e Matheus Tourinho - Ataques Cibernéticos a A...
 
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
CLASS 2022 - Júlio Omori (COPEL) e Tânia Marques (consultora independente) - ...
 
CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
 CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor... CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
CLASS 2022 - Rodrigo Riella (Lactec) e Claudio Hermeling (TI Safe) - A impor...
 
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
CLASS 2022 - Thiago Branquinho (TI Safe) - Como implementar e certificar um S...
 
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
CLASS 2022 - Sergio Sevileanu (Siemens) e Felipe Coelho (Claroty) - Habilitan...
 
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
CLASS 2022 - Eduardo Valério (Ternium) - Uma década de cibersegurança em OT, ...
 
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
CLASS 2022 - Felipe Jordão (Palo Alto Networks) - Boas práticas de operações ...
 
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
CLASS 2022 - Abilio Franco e Bryan Rivera (Thales) - Privacidade de dados e c...
 
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
CLASS 2022 - Roberto Engler Jr. (IBM) - Gestão e monitoramento de alto nível ...
 
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
CLASS 2022 - Maiko Oliveira (Microsoft) - Convergência TO E TI, proteção tota...
 
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
Vitor Sena e Daniel Quintão (Gerdau) - Projeto, implantação, gestão e monitor...
 
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
CLASS 2022 - Marty Edwards (Tenable) - O perigo crescente de ransomware crimi...
 
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
CLASS 2022 - Júlio Cezar de Oliveira (Hitachi Energy) - Cibersegurança na era...
 
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
CLASS 2022 - Denis Sousa, Abner Bueno e Eduardo Pontes (Norte Energia) - Anál...
 
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
CLASS 2022 - Nycholas Szucko (Nozomi Networks) - Antifragilidade Cibernética ...
 
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
CLASS 2022 - Gustavo Merighi (Energisa) e Alessandro Moretti (Thales) - O Des...
 
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
CLASS 2022 - Marcelo Branquinho (TI Safe) - Ameaças Modernas e Ataques às red...
 
Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...
Webinar cci    por que nao se deve contratar so cs de ti hibridos para proteg...Webinar cci    por que nao se deve contratar so cs de ti hibridos para proteg...
Webinar cci por que nao se deve contratar so cs de ti hibridos para proteg...
 
Retrospectiva
RetrospectivaRetrospectiva
Retrospectiva
 
Pacote TI Safe ONS Ready v1
Pacote TI Safe ONS Ready v1Pacote TI Safe ONS Ready v1
Pacote TI Safe ONS Ready v1
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

[CLASS 2014] Palestra Técnica - Alexandre Euclides

  • 1. © Siemens Industry, Inc. 2014 All rights reserved. Answers for industry. Constructive Tension: The Vendor/Researcher Relationship CLASS 2014 - 1st SCADA Security Conference LATAM
  • 2. © Siemens Industry, Inc. 2014 All rights reserved. Page 2 2014-Nov-05 H. Brian/ I DF RD SEC • Introduction • Background of Siemens Industrial Security • Goals of ICS Vulnerability Disclosure • Siemens Disclosure Policy • Other Vendors Disclosure Policies • Researchers Disclosure Policies • Areas of Agreement • Ideas for Improved Cooperation • Conclusions • Q&A Agenda
  • 3. © Siemens Industry, Inc. 2014 All rights reserved. Page 3 2014-Nov-05 H. Brian/ I DF RD SEC Personal Introduction Who Am I? Harry Brian Siemens Industry Digital Factory, R&D Responsible for Product and Solutions Security, North America PLC, HMI, Drives Previously: Product and Project Management, System Test Founder and general partner of Paragon Control Systems B.S. Computer Science - North Carolina State University Several SANS certifications
  • 4. © Siemens Industry, Inc. 2014 All rights reserved. Page 4 2014-Nov-05 H. Brian/ I DF RD SEC Product Security Responsibilities Digital Factory PLC Drives HMI Networking SCADA
  • 5. © Siemens Industry, Inc. 2014 All rights reserved. Page 5 2014-Nov-05 H. Brian/ I DF RD SEC Johnson City, TN USA Product Development S7-200 WinAC PLCSim S7-1200
  • 6. © Siemens Industry, Inc. 2014 All rights reserved. Page 6 2014-Nov-05 H. Brian/ I DF RD SEC Industry Security Network Product and Solution Security Office Security System Architecture Research & Development CS Value Services System Test Customer Support Consulting, System functions Interface to Office-IT Security Lab International Hubs Process Improvement Secure PC / HMI Hardware Integrity Security Requirements Security Marketing & Comm Standards, Regulations, internal Assessment  Central Office – HQ Nuremburg  Security Experts from all organizations  Full-time and Part-time Security  Product and Process Experts  Close to customer Requirements
  • 7. © Siemens Industry, Inc. 2014 All rights reserved. Page 7 2014-Nov-05 H. Brian/ I DF RD SEC Singapore Brazil Russia China France India North America UK HQ Siemens Regional Security Hubs  Monitor the Regional Security Environment  Respond to reports of SIMATIC Security Incidents  Interface to External Security Researchers  Interface to Regional CERT  Coordinate / Resolve customer questions R&D Engineering Support  Train RD staff in Product Security Awareness  Security Lab Activities  Duplication, Resolution of Vulnerabilities
  • 8. © Siemens Industry, Inc. 2014 All rights reserved. Page 8 2014-Nov-05 H. Brian/ I DF RD SEC The Problem • Public disclosure of security information inspires vendors to be truthful about flaws, repair vulnerabilities and build more secure products. • Disclosure and peer review advances the state of the art in security. • Researchers can figure out where new technologies need to be developed • Information can help policymakers understand where problems tend to occur. One of the most contentious debates in the ICS security field involves the publication of security vulnerabilities. • Vulnerability information can give attackers the information they need to exploit a security hole in a system and cause harm. • Release of proof-of-concept code allows “script-kiddies” launch attacks without knowledge of consequences. • End-users and Owner/Operators in many cases cannot shut down operations to apply patches, so would be vulnerable to attack. • ICS vendor design and test cycle is lengthy.
  • 9. © Siemens Industry, Inc. 2014 All rights reserved. Page 9 2014-Nov-05 H. Brian/ I DF RD SEC ICS Owner/Operator “Window of Exposure” Discovery Exploit Disclosure Window of Exposure Patch Available Window of Exposure (Organization) Patch Applied Source: https://www.honeywellprocess.com/library/news-and-events/presentations/HUGAP-IndustrialCyberSecurity.pdf
  • 10. © Siemens Industry, Inc. 2014 All rights reserved. Page 10 2014-Nov-05 H. Brian/ I DF RD SEC Siemens Disclosure Policy Siemens discloses product security vulnerabilities that have been adequately fixed within our products and solutions through security advisories containing detailed information about the issues. Report Analysis Handling Disclosure
  • 11. © Siemens Industry, Inc. 2014 All rights reserved. Page 11 2014-Nov-05 H. Brian/ I DF RD SEC Siemens Security Advisories August 14th, 2014 Update for Simatic S7-1500 Siemens provides firmware version Simatic S7-1500 V1.6 which fixes one vulnerability. The update is recommended to all users. We thank Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) for his information. --------------------------------------------------------------------------- July 23rd, 2014 Update for Simatic WinCC Siemens provides product release Simatic WinCC V7.3 which fixes several vulnerabilities. We thank Sergey Gordeychik, Alexander Tlyapov, Dmitry Nagibin, and Gleb Gritsai from Positive Technologies for their information
  • 12. © Siemens Industry, Inc. 2014 All rights reserved. Page 12 2014-Nov-05 H. Brian/ I DF RD SEC • “With public disclosure, you widen the circle of critical and innovative eyes, and a third party might be able to mitigate where the vendor cannot” • “The industrial sector should realize that security researchers are not against vendors.” • “Security researchers are donating significant time and expertise that would otherwise cost vendors thousands of dollars.” • “Good disclosure programs have: Respect, Optional Anonymity, Legal Impunity, Security, Responsiveness, and Openness.” • “ICS vendors should work with independent security researchers to promote responsible disclosure.” Thoughts from Researchers
  • 13. © Siemens Industry, Inc. 2014 All rights reserved. Page 13 2014-Nov-05 H. Brian/ I DF RD SEC Uncoordinated Disclosure Potential for Problems
  • 14. © Siemens Industry, Inc. 2014 All rights reserved. Page 14 2014-Nov-05 H. Brian/ I DF RD SEC Who is ICS CERT?  Part of the Department of Homeland Security  Respond to and analyze control systems related incidents  Conduct vulnerability and malware analysis  Provide situational awareness in the form of actionable intelligence  Coordinate the responsible disclosure of vulnerabilities/mitigations  Share and coordinate vulnerability information and threat analysis through informational products and alerts http://www.us-cert.gov/control_systems/ics-cert/ ICS CERT - Industrial Control Systems Cyber Emergency Response Team ICS-CERT Advisories Advisories provide timely information about current security issues, vulnerabilities, and exploits. Advisories by Vendor •ICSA-14-269-01 : Bash Command Injection Vulnerability •ICSA-14-261-01 : Advantech WebAccess Vulnerabilities •ICSA-14-260-01 : Yokogawa CENTUM and Exaopc Vulnerability •ICSA-14-259-01 : Schneider Electric SCADA Expert ClearSCADA Vulnerabilities •ICSA-14-254-01 : Schneider Electric VAMPSET Buffer Overflow •ICSA-14-224-01 : Ecava Integraxor SCADA Server Vulnerabilities •ICSA-14-247-01 : Sensys Networks Traffic Sensor Vulnerabilities •ICSA-14-238-01 : CG Automation Improper Input Validation •ICSA-14-238-02 : Schneider Electric Wonderware Vulnerabilities •ICSA-14-198-03C : Siemens OpenSSL Vulnerabilities (Update C) •ICSA-14-226-01 : Siemens SIMATIC S7-1500 CPU Denial of Service •ICSA-14-196-01 : SubSTATION Server Telegyr 8979 Master Vulnerabilities
  • 15. © Siemens Industry, Inc. 2014 All rights reserved. Page 15 2014-Nov-05 H. Brian/ I DF RD SEC ICS-CERT Responsible Disclosure 1. ICS-CERT will attempt to coordinate all reported vulnerabilities with the affected vendor. a. Type and schedule of disclosure will be determined based on the factors involved. 2. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. a. ICS-CERT will advise the reporter of significant changes in the status of any vulnerability reported to the extent possible without revealing information provided in confidence by the vendor. b. Affected vendors will be apprised of any publication plans, and alternate publication schedules will be negotiated with affected vendors as required. 3. UPDATE! In cases where a vendor is unresponsive, or will not establish a reasonable timeframe for remediation, ICS-CERT may disclose vulnerabilities 45 days after the initial contact is made, regardless of the existence or availability of patches or workarounds from affected vendors. 4. Goal: Balance the need of the control system community to be informed of security vulnerabilities with the vendors' need for time to respond effectively. a. The final determination of the type and schedule of publication will be based on the best interests of the community overall.
  • 16. © Siemens Industry, Inc. 2014 All rights reserved. Page 16 2014-Nov-05 H. Brian/ I DF RD SEC ICS-CERT Sample Advisory Contents Advisory (ICSA-14-205-02) Siemens SIMATIC WinCC Vulnerabilities Original release date: July 24, 2014 • OVERVIEW • AFFECTED PRODUCTS • IMPACT • BACKGROUND • VULNERABILITY DETAILS • EXPLOITABILITY • EXISTENCE OF EXPLOIT • DIFFICULTY • MITIGATION
  • 17. © Siemens Industry, Inc. 2014 All rights reserved. Page 17 2014-Nov-05 H. Brian/ I DF RD SEC Coordinated vs UnCoordinated Disclosure
  • 18. © Siemens Industry, Inc. 2014 All rights reserved. Page 18 2014-Nov-05 H. Brian/ I DF RD SEC ICS-CERT Security Incident Occurs Siemens CERT Incident Response Flow Chart - How are patches, CERT Alerts, TAs, and Customer Facing Information Created? Hotline Incidents are generally reported to one of these organizations Initial Review and Classification as Security Incident Siemens CERT, System Test, RD, CS 1, Regional Security Hub are typically involved in this step Form Response Team Develop Transparent Explanation of Problem Propose Solutions to AS Management Coordinate Approved Solutions Response team formed based upon technical nature of event. Typically includes Head of Security Hub, Region Security Hub Lead, Siemens CERT, RD Manager, System Test Manager, Hotline, HQ Media Relations, and other technical experts as required A A RQ’s Generated Bug Fixes System Test - Siemens - CERT - Researcher Patch Available The Transparent Explanation of the Problem is the source for several other important deliverables ICS-CERT Advised ICS-CERT Alert (Private Portal) TA Issued ICS-CERT Alert (Public Portal) R&D Siemens CERT S&S Web Posting Holding Statement S&S Web Posting (update) HQ AS Mkt / PM / MR Create Region Media Message - Issue Statements -- Respond to Press -- Twitter Create Region Mkt. Message - Customer Letters -- Presentations -- Customer Spokespersons Region MR Region Mkt.
  • 19. © Siemens Industry, Inc. 2014 All rights reserved. Page 19 2014-Nov-05 H. Brian/ I DF RD SEC Personal Introduction Thank You! – Muito Obrigado! Questions?
  • 20. © Siemens Industry, Inc. 2014 All rights reserved. Page 20 2014-Nov-05 H. Brian/ I DF RD SEC Harry Brian Product and Solution Security Siemens Industry, Inc One Internet Plaza Johnson City, TN 37604 Phone: +1 (423) 262-2292 E-mail: harry.brian@siemens.com Contact page Answers for industry.