The first week of April brought another edition of AppSecDC to Washington, D.C., but this year people from two different worlds came to the same conference: Web security and Industrial Control Systems security. Of course, at the device level this convergence happened a long time ago if we take into account that almost every modern PLC includes at least a web server, among other things.
I was presenting Real-world Backdoors in Industrial Devices on the Critical Infrastructure track, which included really exciting topics from well-known researchers including:
- Pentesting Smart Grid Web Apps from Justin Searle
- Vulnerabilities in Industrial Control Systems from ICS-CERT
- AMI Security from John Sawyer and Don Weber
- Project Basecamp: News from Camp 4 from Reid Wightman
- Denial of Service from Eireann Leverett
- Securing Critical Infrastructure from Francis Cianfrocca
I found it remarkable that most of the talks were basically about offensive security. I think that's because ICS researchers are still at the point of squeezing all the potential attack vectors, an approach that eventually will provide the intelligence necessary to actually protect critical infrastructure in the best way possible. We would do well to remember that it's taken many years for the IT sector to finally reach a point where some defensive technologies are solid enough to stop complex attacks.
The best thing about the CI track was that it introduced different perspectives and the technical talks highlighted two issues that should be addressed ASAP: backdoors/unauthenticated protocols and exposure. Amazingly, a large number of industrial devices still rely on unauthenticated protocols and backdoors to implement their functionalities. PLCs, smart meters, HVAC… during the talks we saw real-world examples that would let attackers control facilities, even remotely!
The talk from the ICS-CERT was pretty interesting since it brought another point of view to the track: what happens on the other side? For example, when vendors realize their products contain vulnerabilities or how real incidents are handled—yes, there have been real attacks against industrial facilities. The scary thing is that, according to the data presented by the ICS-CERT, these attacks are not isolated, but represent a trend.
The number of published SCADA vulnerabilities has dramatically increased, and societies (as well as the security industry and researchers) are slowly becoming more aware of and concerned about the importance of securing critical infrastructures. Even so, there are still a lot of things waiting to be discovered, so we should expect exciting findings in this area.
In summary, security conferences are great places to learn about and meet brilliant people, so if you have the chance to attend some, don't hesitate! It was a pleasure to attend and speak at AppSecDC, so I would like to thank OWASP and IOActive for giving me this opportunity.
See you at the next one!