vendors@gov

vendors@gov Fail. Not ICSJWG, but me. There were a lot of great presentations today, and I only managed to see 1.5 and give my own. One of the main benefits of ICSJWG is the crowd it draws. There are clients, vendors, gov types and lots of old friends to talk to. Unfortunately that kept me from most of the presentations on Day 2. I did have a chance to talk with a number of the presenters and see the Powerpoints so here is what I saw or learned. Kevin Hemsley of ICS-CERT gave a presentation that was helpful and disappointing at the same time. He went into some detail on his perspective of dealings with Luigi Auriemma, and since I have had some emails from Luigi it was interesting to hear the other side. ICS-CERT and Luigi have


communicated a number of times over the past six months, but there has been no meeting of the minds. Likely causes are different goals and language issues. I finally had my chance to publicly ask ICS-CERT about their Stuxnet handling. There was no real answer, as expected, except they had learned a lot from Stuxnet. This is really the key. When the next Stuxnet type malicious exploit in the wild occurs, will ICS-CERT be ready and respond better? The handling flowcharts they presented covered a coordinated disclosure and non-coordinated/0day. ICS-CERT is doing a good job of implementing these processes, especially this year. They did not yet have a flowchart or handling process for the case where we learn of a vuln through widespread or targeted actual exploitations. There was a good idea, not mine, that after ICS-CERT has created this third process they should run Stuxnet through it to see if the process would have worked. I provided a presentation on Quickdraw, Portaledge and Bandolier research results. Nothing new to loyal blog readers, but we are always surprised at how many people don’t know about these projects. Outreach continues.


Look out for SPIDERS – Smart Power Infrastructure Demonstration for Energy Reliability and Security. We will blog on this when we get the presentation, but they have deployed sensors across a variety of networks and systems to collect data for defensive effortsErnie Rakaczky and Paul Forney of Invensys presented on the Security Development Lifecycle for Control Systems. The presentation talked about creating a Cyber Security Culture during development, execution/FAT/SAT, and throughout the deployed system life cycle. Offline Ernie was telling me that the SDL was actually reducing elapsed development time because fewer problems were making it to QA. They were being caught earlier. Another way to look at this is the 10% additional effort for the SDL results in a more accurate development schedule. Lots of statistics and lessons learned here and probably worth a podcast segment.

vendors@gov