What We Already Know

Who is the S4 audience? This is a question we have been asking ourselves and defining not just in demographic terms such as title/sector/type of company and knowledge/experience, but also in psychographic terms that were addressed in the Is S4 For You? post. The purpose is to identify and understand who the “we” is in terms of S4 attendee and work towards providing the best event for this audience.

If you are an experienced ICS professional who attends and speaks at a variety of events, you likely see a lot of sessions that you quickly dismiss with “I already know that”. There are three main categories of these talks, that while extremely valuable to the larger ICS community, are likely to result in “we already know that” from the S4 audience.

  1. A large percentage of ICS applications and protocols are insecure by design or have easily identified and exploited vulnerabilities due to a lack of a security development lifecycle.
  2. Logical access to most ICS allow an adversary to control and reconfigure a physical process. This access combined with engineering knowledge and automation skills can cause an outage, substandard product or service from the physical process, and damage to physical equipment, people and the environment.
  3. Basic ICS security good practices that are not yet widely deployed or widely known by the ICS community, but are well understood by the advanced ICS security professional.

S4x12 with Project Basecamp and S4x13 with over 50 ICS 0-days drove home the first point. Subsequent sessions at other events have reinforced this across new ICS sectors and product categories that undergo scrutiny. If a skilled researcher comes on stage and steps through how another PLC or ICS application lacks security controls, didn’t follow basic secure coding practices, and was easily exploited, the S4 audience would respond with we already knew that.

It shouldn’t be a surprise to many that a compromised control system allows an attacker to perform control and configuration to the degree the authorized engineer and system allows. There continue to be numerous attention grabbing examples such as water systems, car washes and wind farms at Black Hat this year. The S4 audience in general responds with we already knew that.

Information and demonstrations of the first two categories above are still required to inform the majority of the ICS community. Most have heard of this, but there is still a disbelief that requires more demonstrations and examples that hit close to home.

The third category is the hardest to evaluate if the audience already knows an ICS security practice. These are often the most helpful sessions to an asset owner who does not already know the good ICS security practice, so the selection errs on the side of assuming lack of widespread knowledge among experts. That said, there are many high quality submissions from asset owners showing how they solved a security challenge or consultants and vendors showing the problem and good security practice solution that fall into the category of “we already knew that” for the S4 targeted audience. These sessions are ideal for most other ICS security events that target the full range of ICS experience from novice to expert.

There are exceptions every year that fall into these three categories and are selected for S4. For example, an ICS security practice that is contrary to what most people believe can be interesting. Or a new class of attack or post exploit process may be interesting even to the advanced ICS security professional. We like to see every possible session idea, and this article is to help the potential S4 presenter and potential S4 attendee better understand the program we are trying to put together.

I covered this issue as well at the start of a recent Unsolicited Response podcast episode. You can subscribe to the Unsolicited Response podcast at this link.