the ICS Cybersecurity Conference
Today is the final day of the ICS Cybersecurity Conference. Our coverage will continue through tomorrow at least as we add accounts of some of the conference highlights.
Two presentations this morning were particularly interesting. Stephen Ridley, Senrio's CTO and Founder, spoke about the Devil's Ivy IoT vulnerability his company's researchers discovered earlier this year, but his main points were, "We hate to break it to you, but OT is IT, and ICS is 'IoT'," and "Code reuse is vulnerability reuse; hardware reuse is vulnerability reuse." Code and hardware reuse are pervasive across verticals, he argued.
The other presentation that merits a brief note here was by Dr. Peter Vincent Pry, representing the EMP Task Force on National and Homeland Security. He made everyone's flesh creep with an account of the EMP (electromagnetic pulse) threat not just to the power grid, but to civilization itself. EMP occurs naturally in the form of solar geomagnetic storms. We've seen big ones in 1859 and 1921, before the dawn of the electrical civilization we now enjoy. EMP can also be induced artificially, either by a nuclear weapon or, on a smaller scale, by a non-nuclear EMP kit. An EMP attack that's well within the demonstrated capabilities of a "failed state" like North Korea could, Pry argued, take down the US power grid for eighteen months, with attendant loss of life on a catastrophic scale. Russian military doctrine, he said, treats EMP as a non-nuclear option.
Before we leave Atlanta, a few notes on discussions heard at the conference may be worth sharing. Plant hardware and the systems that control and monitor it are sufficiently disparate that they would seem to defy application of any standardized, easily applied security approach. Every plant, and even every section of every plant, seems likely to require a tailored solution. There's some disagreement among the conference's participants over this point, but that disagreement is really a matter of degree, not kind.
A more interesting division, this one deeper, divides those who see the possibility of catastrophe from their colleagues who see industrial infrastructure as more resilient and less likely to suffer disaster. There's genuine disagreement here, but that disagreement too is partly a matter of perspective. The engineers who operate plants and worry about doing so safely and reliably tend to be fall into the more pessimistic camp. They're very much alive to the dependencies, the possibilities of cascading failure, and the difficulty of keeping complex systems in equilibrium.
The cyber operators tend toward the optimistic—they're engaged, at least imaginatively and sometimes actually, in thinking about attack. And they perceive all of the attackers' difficulties so familiar to military operators. To be sure the attacker has the initiative, and can choose the time and place of engagement. Beyond that the defender has advantages, too: it's not for nothing that conventional tactical wisdom looks for a three-to-one advantage before going on the attack.