Tuesday April 3, 2012

Panel Members:

• Hal Aldridge - Sypris Electronics
• William Atkins – Sandia National Laboratories
• Jason Holcomb – Lockheed Martin - Energy and Cyber Services
• Steven Parker – Energy Sector Security Consortium
• Lefteri Tsoukalas – Purdue University

Panel Summary by Matt Levendoski

The panel was moderated by Charles Killien, Computer Science, Purdue University.

Dr. Hal Aldridge, the Director of Engineering at Sypris Electronics, opened today’s first panel on the currently popular topic of SCADA security. Dr. Aldridge initially presented his current research interests, which involves the defining of who takes true ownership and responsibility for the security of our nation’s backbone infrastructure, our SCADA and control systems. An interesting opposition he presented was, what if the responsible party doesn’t have a well-defined background in the security realm?

Dr. Aldridge further delved into the aspects of smart grids and the fact that they are everywhere. Hal discussed how it is a scary thought of how much code is being utilized to run the control system of an automobile. In some aspects cars have more code then a variety of our current fighter jets. He further teased about the concept of an Internet based coffee maker. All concepts aside, these systems have their cons, which are present in the form of security problems. Dr. Aldridge closed with the statement that he greatly appreciates the interdisciplinary stance of CERIAS and how this allows for great innovation in the industry and current academic research.

William Atkins, a Senior member of Technical Staff in Sandia National Laboratories, followed up with his stance and the difference between SCADA and control systems. He specifically focuses on general computing systems security. More precisely, he introduced the term ‘cyber physical systems’. He presented the recent trend that calls for these systems to have inter-compatibility because customers don’t want to be locked into a single vendor for their solutions. He further stressed that this topic is vague and largely unknown which has created a lot of media attention, more specifically topics like the stuxnet worm.

William further addressed the current trends of security as they relate to control systems. These systems are changing from a less manual or analog approach to a more automated and digital methodology. We want our systems to do more yet require less. This trend tends to bring about unforeseen consequences, especially when these systems hit an unknown state of inoperability. Additionally, all the hypothetical attacks being posed to the public are actually becoming a reality. Attackers now have the capability to purchase or acquire the hardware online via surplus sales, eBay, or the like.

William closed with his perspective on SCADA security and how the odds are asymmetrically stacked in favor of the offense verses the defense. Essentially, security tends to get in the way of security. The stuxnet worm is a great example in that it utilized vulnerabilities within the access level of anti-virus software that allowed for a lower level approach to the attack.

Jason Holcomb is a Senior Security Consultant at Lockheed Martin in Energy and Cyber Services. He opened his panel discussion with an interesting spin on how he got involved with SCADA security. Jason indirectly introduced a denial of service conflict within the SCADA system he was working on in which he had to, in turn, remediate.

Jason presented Lockheed’s current approach to the security threads within SCADA systems. Their current research and solutions look to bring some of the advantage back to the defense. This was a great contrast to the perceptions that William Atkins previously presented. Jason then further introduced the following Cyber Kill Chain:

• Reconnaissance – Gather information. Names, emails, employee info, etc
• Weaponization – Create malware, malicious document, webpage etc
• Delivery – Deliver the malware. Email hyperlink *Exploitation – Exploit vulnerability to gain access to assets *Installation – Install on assets
• Command and Control – Create channel of communication back to attacker
• Actions on Objectives – Adversary performing their objectives

Steven Parker is the Vice President of Technology Research and Projects with the Energy Sector Security Consortium. Steven stated that when it comes to control systems and SCADA, we don’t need to necessarily solve the hard problems but focus more on easy solutions. Steven then continued to compare the security industry with that of the diet industry. A few of his comparisons included how the diet industry has Dietitians and we have CISSPs, they have nutritional labeling and we have software assurance, everyone wants a no effort weight loss program while security wants an easy solution for everything, and lastly the diet industry has a surgical procedure called gastric bypass where the security industry has something called regulations and compliance. He then closed with the notion that a lot of challenges aren’t all necessarily technical. These challenges include economic strategies, human interactions, public policy, and legal issues.

Lefteri Tsoukalas is a Professor of Nuclear Engineering at Purdue University. Prof. Tsoukalas jumped right into making the statement that the energy markets are currently undergoing a phase transition. Demand isn’t affected by high prices as the resources have changed state from abundance to resource scarcity. This is why energy allocation is key. We need to utilize our resources when energy prices are lower rather then during peak cost timeframes. Prof. Tsoukalas also suggested that we take the same perspective as Europe and look into alternative resources. At this point in time we aren’t sitting as comfortably on our current supply of energy resources as we were, say, 100 years ago.

Q&A Session

Question 1: There is a lot of research in SCADA/Control Systems. How do we adapt our research to be more applicable to Control Systems?

Answers/Discussion:

• Turn problem away from keeping attackers out and focus on other aspects.
• Looking at domain specific research.
• Don’t limit research to a very specific area but rather apply it across all platforms.
• It’s not an issue that systems are attached to Internet but the fact that we need better control of these systems in both physical and cyber worlds.
• Looking from the console perspective things may be fine, but sometimes they aren’t. We can’t always rely on the digital tools.
• Understanding the business is critical for research.
• Developing methods for evolved systems.
• Resilience is key, protect privacy and confidentiality.

Question 2: How do we get a handle on global regulations?

Answers/Discussion:

• A lot can be shared that doesn’t involve personal or corporate data.
• Here is where the offense has the advantage over defense. The Offense doesn’t care about regulations where defense has to.
• Discussion was diverted to a more local level and the differences and difficulties with sharing data across large and small companies and how smaller companies tend to be more agile from this perspective.

Question 3: What skills do students and staff need, to be affective in this area?

Answers/Discussion:

• Good communication, understand business requirements, wide range of experience skills.
• The industry needs more security experts then there are job openings.
• Technical experience, also good social engineer.
• Core fundamental concepts, you will be able to be trained to flourish in this domain.
• May want to visit and acquire physics skillsets to operating in Control/SCADA systems

Question 4: What type of attacks have you actually experienced?

Answers/Discussion:

• This question was diverted for confidential and security reasons.

Further discussion was taken from the following perspective:

• Be careful with internal use of thumb drives etc. Attackers don’t always know what they are looking for but rather just collect data until they find something of interest.