POWER December 2012 - 19

Conference Report: 12th ICS Cyber
Security Conference
The 12th ICS Cyber Security Conference was held at Old Dominion
University's Virginia Modeling Analysis and Simulation Center
(VMASC) October 22-25, 2012. There were approximately 150 attendees
from multiple industries, universities, government, and vendors
as well as consultants from the U.S., South America, Europe,
and Asia. The conference used the remote video conferencing capabilities
available at VMASC to enable a few speakers to participate
from as far away as Europe and Asia.
The conference addressed multiple aspects of the vulnerabilities
that affect industrial control systems (ICSs). These are the programmable
logic controllers (PLCs), distributed control systems (DCSs),
SCADA, and other systems that make our modern world function
smoothly every minute of every day by controlling physical processes
in power and water utilities, oil and gas pipelines, chemical and
manufacturing plants, transportation, and defense. These are the
same types of systems that were compromised by Stuxnet.
Conference participants studied case histories and discussed the
progress of standardization and interoperability. No press representatives
were allowed into the conference, and a non-attribution
policy was rigorously enforced, hence the lack of names and affiliations
in this report.
No Consistent Definition
Showing the diversity of interests of those working on cyber security
threats, conference participants could not agree on a single
definition of what constitutes a cyber incident, particularly an unintentional
incident. One very useful outcome of the conference was
developing a better appreciation of the breadth and depth of critical
infrastructure protection (CIP) security required, the wide range of
skills required to solve cyber security problems, and the importance
of sharing information, particularly about unintentional incidents.
ICS cyber incidents caused without intent-failures stemming from
the processing, storage, or transmission of data-can have disastrous
consequences and serve as roadmaps for ICS system hacks.
(For more on ICS protection failures and their consequences, see
" Ensuring the Cybersecurity of Plant Industrial Control Systems " in
the June 2012 issue of POWER, available at www.powermag.com.)
Another key conference finding was that there are few (being
generous) technologies actually developed for ICS that are not recycled
IT solutions. One emerging technology solution was discussed
that could be a game changer because it improves control system
performance and appears not to be susceptible to cyber threats.
However, it is still in the research and development phase, and details
were sparse. Additionally, progress is being made on device
authentication at the protocol level, and some chipmakers are transferring
their know-how to control systems for authenticating end
devices. Protecting product information is becoming much more
common these days (see sidebar).
Many Are Unaware
An international survey performed for CIGRE (the International
Council on Large Electric Systems) identified the lack of cyber understanding
by the control and protective relay community as another
area of work that is currently lagging. This is particularly important
as CIGRE did not address the impact of the Aurora test-a cyber attack
on power generating equipment staged by the U.S. Department
18
Legal Fears Stifle Public Discussion of
Cyber Security Threats
Discussions about technologies used and responses by firms engaged
in securing their cyber systems went in an unexpected
direction at one point during the 12th ICS Cyber Security Conference.
In fact, three events that came to light at the event
demonstrate what appear to be parochial responses to reported
vulnerabilities. Intentionally inhibiting the free interaction and
flow of information between cyber security professionals, particularly
by vendors and the federal government, will only slow future
advances in state-of-the-art ICS security.
In the first situation, two presentations focusing on a nuclear
plant's potential cyber security vulnerabilities were abruptly cancelled
when an equipment supplier threatened to sue the plant
owner. The subject of both talks was the results of a security review
conducted for a foreign nuclear utility, an above-and-beyond
review not required by regulators, but one that the utility voluntarily
pursued. One presentation was to be by utility representatives
and the other was to be by a representative of the utility that
conducted the review. The result of the review identified new and
previously unknown vulnerabilities. Even though the utility had approved
the presentations, the vendor complained it would violate
their nondisclosure agreement.
What the conference participants did learn was that this international
utility's assessment and analysis program is more comprehensive
than what existing U.S. Nuclear Regulatory Commission (NRC)
guidance requires. This raises questions concerning the adequacy
of NRC cyber security guidance and therefore the adequacy of cyber
security programs at all U.S. nuclear plants. It should be mentioned
that representatives of the NRC attended the conference.
In the second case, a firm engaged in cyber security that, according
to an Oct. 29 Reuters report, " uncovered thousands of
pieces of control equipment exposed to online attacks did not tell
U.S. authorities where they were installed because it feared being
sued by the equipment owners. " This quashing of important information
sharing based on the fear of lawsuits brought by vendors is
having significant repercussions across many industries.
Finally, attendees learned that the U.S. government " has kept a
technique it discovered for attacking electricity generation equipment
secret for five years, " according to the same Reuters report,
leaving known vulnerabilities of many electricity generators without
protection. Ironically, U.S. Defense Secretary Leon Panetta,
also in October, said that terrorists could use cyber attacks to " contaminate
the water supply in major cities or shut down the power
grid across large parts of the country. "
The U.S. government is also adding to the difficulty of devising
responses to new threats by routinely classifying critical information
as " secret " and by failing to develop appropriate cyber security
regulations for utilities, according to Kevin McDonald, executive
vice president at security service provider Alvaka Networks in Irvine,
Calif., who says, " If we don't do something as a community, really
bad things are going to happen and people are going to die. "
www.powermag.com
POWER | December2012

http://www.powermag.com http://www.powermag.com

POWER December 2012

Table of Contents for the Digital Edition of POWER December 2012

Contents
POWER December 2012 - Cover1
POWER December 2012 - Cover2
POWER December 2012 - Contents
POWER December 2012 - 2
POWER December 2012 - 3
POWER December 2012 - 4
POWER December 2012 - 5
POWER December 2012 - 6
POWER December 2012 - 7
POWER December 2012 - 8
POWER December 2012 - 9
POWER December 2012 - 10
POWER December 2012 - 11
POWER December 2012 - 12
POWER December 2012 - 13
POWER December 2012 - 14
POWER December 2012 - 15
POWER December 2012 - 16
POWER December 2012 - 17
POWER December 2012 - 18
POWER December 2012 - 19
POWER December 2012 - 20
POWER December 2012 - 21
POWER December 2012 - 22
POWER December 2012 - 23
POWER December 2012 - 24
POWER December 2012 - 25
POWER December 2012 - 26
POWER December 2012 - 27
POWER December 2012 - 28
POWER December 2012 - 29
POWER December 2012 - 30
POWER December 2012 - 31
POWER December 2012 - 32
POWER December 2012 - 33
POWER December 2012 - 34
POWER December 2012 - 35
POWER December 2012 - 36
POWER December 2012 - 37
POWER December 2012 - 38
POWER December 2012 - 39
POWER December 2012 - 40
POWER December 2012 - 41
POWER December 2012 - 42
POWER December 2012 - 43
POWER December 2012 - 44
POWER December 2012 - 45
POWER December 2012 - 46
POWER December 2012 - 47
POWER December 2012 - 48
POWER December 2012 - 49
POWER December 2012 - 50
POWER December 2012 - 51
POWER December 2012 - 52
POWER December 2012 - 53
POWER December 2012 - 54
POWER December 2012 - 55
POWER December 2012 - 56
POWER December 2012 - 57
POWER December 2012 - 58
POWER December 2012 - 59
POWER December 2012 - 60
POWER December 2012 - 61
POWER December 2012 - 62
POWER December 2012 - 63
POWER December 2012 - 64
POWER December 2012 - 65
POWER December 2012 - 66
POWER December 2012 - 67
POWER December 2012 - 68
POWER December 2012 - 69
POWER December 2012 - 70
POWER December 2012 - 71
POWER December 2012 - 72
POWER December 2012 - 73
POWER December 2012 - 74
POWER December 2012 - 75
POWER December 2012 - 76
POWER December 2012 - 77
POWER December 2012 - 78
POWER December 2012 - 79
POWER December 2012 - 80
POWER December 2012 - 81
POWER December 2012 - 82
POWER December 2012 - 83
POWER December 2012 - 84
POWER December 2012 - 85
POWER December 2012 - 86
POWER December 2012 - 87
POWER December 2012 - 88
POWER December 2012 - 89
POWER December 2012 - 90
POWER December 2012 - 91
POWER December 2012 - 92
POWER December 2012 - 93
POWER December 2012 - 94
POWER December 2012 - 95
POWER December 2012 - 96
POWER December 2012 - Cover3
POWER December 2012 - Cover4
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2025
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_october-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr-re-tech_september-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_september-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_august-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_june-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_july-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_may-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_april-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_march-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_february-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_january-2024
https://www.nxtbook.com/accessintelligence/POWER/pwr_december-2023
https://www.nxtbook.com/accessintelligence/POWER/pwr_november-2023
https://www.nxtbook.com/accessintelligence/POWER/power-october-2023
https://www.nxtbook.com/accessintelligence/POWER/re-tech-supp-to-power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2023
https://www.nxtbook.com/accessintelligence/POWER/power-august-2023
https://www.nxtbook.com/accessintelligence/POWER/power-july-2023
https://www.nxtbook.com/accessintelligence/POWER/power-june-2023
https://www.nxtbook.com/accessintelligence/POWER/power-may-2023
https://www.nxtbook.com/accessintelligence/POWER/power-april-2023
https://www.nxtbook.com/accessintelligence/POWER/power-march-2023
https://www.nxtbook.com/accessintelligence/POWER/power-february-2023
https://www.nxtbook.com/accessintelligence/POWER/power-january-2023
https://www.nxtbook.com/accessintelligence/POWER/power-december-2022
https://www.nxtbook.com/accessintelligence/POWER/power-november-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-140th-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/Power-October-2022-and-Anniversary-Supp
https://www.nxtbook.com/accessintelligence/POWER/power-and-re-tech-supp-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-september-2022
https://www.nxtbook.com/accessintelligence/POWER/power-august-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-July-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-july-2022
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-june-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022
https://www.nxtbook.com/accessintelligence/POWER/power-may-2022-intl
https://www.nxtbook.com/accessintelligence/POWER/power-april-2022
https://www.nxtbook.com/accessintelligence/POWER/Power-April-2022-Intl
https://www.nxtbook.com/accessintelligence/POWER/power-march-2022
https://www.nxtbook.com/accessintelligence/POWER/power-february-2022
https://www.nxtbook.com/accessintelligence/POWER/power-january-2022
https://www.nxtbook.com/accessintelligence/POWER/power-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-top-plants-supp-december-2021
https://www.nxtbook.com/accessintelligence/POWER/power-november-2021
https://www.nxtbook.com/accessintelligence/POWER/power-october-2021
https://www.nxtbook.com/accessintelligence/POWER/power-september-2021
https://www.nxtbook.com/accessintelligence/POWER/power-august-2021
https://www.nxtbook.com/accessintelligence/POWER/power-july-2021
https://www.nxtbook.com/accessintelligence/POWER/power-june-2021
https://www.nxtbook.com/accessintelligence/POWER/power-may-2021
https://www.nxtbook.com/accessintelligence/POWER/power-april-2021
https://www.nxtbook.com/accessintelligence/POWER/power-march-2021
https://www.nxtbook.com/accessintelligence/POWER/power-february-2021
https://www.nxtbook.com/accessintelligence/POWER/power-january-2021
https://www.nxtbook.com/accessintelligence/POWER/power-december-2020
https://www.nxtbook.com/accessintelligence/POWER/power-november-2020
https://www.nxtbook.com/accessintelligence/POWER/power-october-2020
https://www.nxtbook.com/accessintelligence/POWER/power-september-2020
https://www.nxtbook.com/accessintelligence/POWER/power-august-2020
https://www.nxtbook.com/accessintelligence/POWER/power-july-2020
https://www.nxtbook.com/accessintelligence/POWER/power-june-2020
https://www.nxtbook.com/accessintelligence/POWER/power-may-2020
https://www.nxtbook.com/accessintelligence/POWER/power-april-2020
https://www.nxtbook.com/accessintelligence/POWER/power-march-2020
https://www.nxtbook.com/accessintelligence/POWER/power-february-2020
https://www.nxtbook.com/accessintelligence/POWER/power-january-2020
https://www.nxtbook.com/accessintelligence/POWER/power-december-2019
https://www.nxtbook.com/accessintelligence/POWER/power-november-2019
https://www.nxtbook.com/accessintelligence/POWER/power-october-2019
https://www.nxtbook.com/accessintelligence/POWER/power-september-2019
https://www.nxtbook.com/accessintelligence/POWER/power-august-2019
https://www.nxtbook.com/accessintelligence/POWER/power-july-2019
https://www.nxtbook.com/accessintelligence/POWER/power-june-2019
https://www.nxtbook.com/accessintelligence/POWER/power-may-2019
https://www.nxtbook.com/accessintelligence/POWER/power-april-2019
https://www.nxtbook.com/accessintelligence/POWER/power-march-2019
https://www.nxtbook.com/accessintelligence/POWER/power-february-2019
https://www.nxtbook.com/accessintelligence/POWER/power-january-2019
https://www.nxtbook.com/accessintelligence/POWER/power-december-2018
https://www.nxtbook.com/accessintelligence/POWER/power-november-2018
https://www.nxtbook.com/accessintelligence/POWER/power-october-2018
https://www.nxtbook.com/accessintelligence/POWER/power-september-2018
https://www.nxtbook.com/accessintelligence/POWER/power-august-2018
https://www.nxtbook.com/accessintelligence/POWER/power-july-2018
https://www.nxtbook.com/accessintelligence/POWER/power-june-2018
https://www.nxtbook.com/accessintelligence/POWER/power-may-2018
https://www.nxtbook.com/accessintelligence/POWER/power-april-2018
https://www.nxtbook.com/accessintelligence/POWER/power-march-2018
https://www.nxtbook.com/accessintelligence/POWER/power-february-2018
https://www.nxtbook.com/accessintelligence/POWER/power-january-2018
https://www.nxtbook.com/accessintelligence/POWER/power-december-2017
https://www.nxtbook.com/accessintelligence/POWER/power-november-2017
https://www.nxtbook.com/accessintelligence/POWER/power-october-2017
https://www.nxtbook.com/accessintelligence/POWER/power-september-2017
https://www.nxtbook.com/accessintelligence/POWER/power-august-2017
https://www.nxtbook.com/accessintelligence/POWER/power-july-2017
https://www.nxtbook.com/accessintelligence/POWER/power-june-2017
https://www.nxtbook.com/accessintelligence/POWER/power-may-2017
https://www.nxtbook.com/accessintelligence/POWER/power-april-2017
https://www.nxtbook.com/accessintelligence/POWER/power-march-2017
https://www.nxtbook.com/accessintelligence/POWER/power-february-2017
https://www.nxtbook.com/accessintelligence/POWER/power-january-2017
https://www.nxtbook.com/accessintelligence/POWER/power-december-2016
https://www.nxtbook.com/accessintelligence/POWER/power-november-2016
https://www.nxtbook.com/accessintelligence/POWER/power-october-2016
https://www.nxtbook.com/accessintelligence/POWER/power-september-2016
https://www.nxtbook.com/accessintelligence/POWER/power-august-2016
https://www.nxtbook.com/accessintelligence/POWER/power-july-2016
https://www.nxtbook.com/accessintelligence/POWER/power-june-2016
https://www.nxtbook.com/accessintelligence/POWER/power-may-2016
https://www.nxtbook.com/accessintelligence/POWER/power-april-2016
https://www.nxtbook.com/accessintelligence/POWER/power-march-2016
https://www.nxtbook.com/accessintelligence/POWER/power-february-2016
https://www.nxtbook.com/accessintelligence/POWER/power-january-2016
https://www.nxtbook.com/accessintelligence/POWER/power-december-2015
https://www.nxtbook.com/accessintelligence/POWER/power-november-2015
https://www.nxtbook.com/accessintelligence/POWER/power-october-2015
https://www.nxtbook.com/accessintelligence/POWER/power-september-2015
https://www.nxtbook.com/accessintelligence/POWER/power-august-2015
https://www.nxtbook.com/accessintelligence/POWER/power-july-2015
https://www.nxtbook.com/accessintelligence/POWER/power-june-2015
https://www.nxtbook.com/accessintelligence/POWER/power-may-2015
https://www.nxtbook.com/accessintelligence/POWER/power-april-2015
https://www.nxtbook.com/accessintelligence/POWER/power-march-2015
https://www.nxtbook.com/accessintelligence/POWER/power-february-2015
https://www.nxtbook.com/accessintelligence/POWER/power-january-2015
https://www.nxtbook.com/accessintelligence/POWER/power-december-2014
https://www.nxtbook.com/accessintelligence/POWER/power-november-2014
https://www.nxtbook.com/accessintelligence/POWER/power-october-2014
https://www.nxtbook.com/accessintelligence/POWER/power-september-2014
https://www.nxtbook.com/accessintelligence/POWER/power-august-2014
https://www.nxtbook.com/accessintelligence/POWER/power-july-2014
https://www.nxtbook.com/accessintelligence/POWER/power-june-2014
https://www.nxtbook.com/accessintelligence/POWER/power-may-2014
https://www.nxtbook.com/accessintelligence/POWER/power-april-2014
https://www.nxtbook.com/accessintelligence/POWER/power-march-2014
https://www.nxtbook.com/accessintelligence/POWER/power-february-2014
https://www.nxtbook.com/accessintelligence/POWER/power-january-2014
https://www.nxtbook.com/accessintelligence/POWER/power-december-2013
https://www.nxtbook.com/accessintelligence/POWER/power-november-2013
https://www.nxtbook.com/accessintelligence/POWER/power-october-2013
https://www.nxtbook.com/accessintelligence/POWER/power-september-2013
https://www.nxtbook.com/accessintelligence/POWER/power-august-2013
https://www.nxtbook.com/accessintelligence/POWER/power-july-2013
https://www.nxtbook.com/accessintelligence/POWER/power-june-2013
https://www.nxtbook.com/accessintelligence/POWER/power-may-2013
https://www.nxtbook.com/accessintelligence/POWER/power-april-2013
https://www.nxtbook.com/accessintelligence/POWER/power-march-2013
https://www.nxtbook.com/accessintelligence/POWER/power-february-2013
https://www.nxtbook.com/accessintelligence/POWER/power-january-2013
https://www.nxtbook.com/accessintelligence/POWER/power-december-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2012
https://www.nxtbook.com/accessintelligence/POWER/power-october-2012
https://www.nxtbook.com/accessintelligence/POWER/power-september-2012
https://www.nxtbook.com/accessintelligence/POWER/power-august-2012
https://www.nxtbook.com/accessintelligence/POWER/power-july-2012
https://www.nxtbook.com/accessintelligence/POWER/power-june-2012
https://www.nxtbook.com/accessintelligence/POWER/power-may-2012
https://www.nxtbook.com/accessintelligence/POWER/power-april-2012
https://www.nxtbook.com/accessintelligence/POWER/power-march-2012
https://www.nxtbook.com/accessintelligence/POWER/power-february-2012
https://www.nxtbook.com/accessintelligence/POWER/power-january-2012
https://www.nxtbook.com/accessintelligence/POWER/power-november-2011
https://www.nxtbook.com/accessintelligence/POWER/power-october-2011
https://www.nxtbook.com/accessintelligence/POWER/power-september-2011
https://www.nxtbook.com/accessintelligence/POWER/power-august-2011
https://www.nxtbook.com/accessintelligence/POWER/power-july-2011
https://www.nxtbook.com/accessintelligence/POWER/power-june-2011
https://www.nxtbook.com/accessintelligence/POWER/power-may-2011
https://www.nxtbook.com/accessintelligence/POWER/power-april-2011
https://www.nxtbook.com/accessintelligence/POWER/power-march-2011
https://www.nxtbook.com/accessintelligence/POWER/power-february-2011
https://www.nxtbook.com/accessintelligence/POWER/power-january-2011
https://www.nxtbook.com/accessintelligence/POWER/power-december-2010
https://www.nxtbook.com/accessintelligence/POWER/power-november-2010
https://www.nxtbook.com/accessintelligence/POWER/power-october-2010
https://www.nxtbook.com/accessintelligence/POWER/power-september-2010
https://www.nxtbook.com/accessintelligence/POWER/power-august-2010
https://www.nxtbook.com/accessintelligence/POWER/power-july-2010
https://www.nxtbook.com/accessintelligence/POWER/power-june-2010
https://www.nxtbook.com/accessintelligence/POWER/power-may-2010
https://www.nxtbookmedia.com