Nohau security seminar notes

I was listening to Nohau embedded security seminar 20.5.2015 today (held in Innopoli 2, Espoo, Finland).

Here are some notes:

09:00: Developing Information Security in Industrial Systems, Kalle Luukkainen, Nixu Oy

Kalle describes Nixu’s experiences on the level of information security at industrial companies in Finland.
Nixu’s approach is typically two-fold: A view of the Information Security Management System to analyze the processes,
policies and service agreements, and a technical view of information security to understand what immediate vulnerabilities
are present in the industrial systems and networks.

Most important notes:
- Management and technical security
- Defences are not 100% secure
- In sensitive systems that needs to be monitored without distruption or creating new attack paths use “data diode” (=unidirectional network) to send copy of system data to analyzing system without any way to send data to other direction
- “data diodes” are available as commercial devices or can be built with fiber connection with only one direction fiber in it

09:30 Enabling the Internet of Security Things, Security Requirements and Standards for Modern Embedded Devices. Alan Grau founder of Icon labs

Modern society is increasingly reliant on embedded devices to perform critical functions in manufacturing, automobiles,
power generation and transmission, medical applications, communication and a host of other fields and
the Internet of Things is giving rise to greater connectivity than ever before.
At the same time, Cyber-attacks targeting embedded devices are on the rise and creating a greater need for embedded security.

10:35 Protect your products and customers from the threat of cyber attack, Pedro Fernandes at Wurldtech

Notes:
- Embedded devices are 15x more vulnerable than modern enterprose endpoints
- 70% of iOT devices are vulnerable according to HP Labs
- Industry & critical infrastructure: 52% increase in cyber attacks
- Standards: ISA/IEC 62443:EDSA and NERC/CIP
- Many standards – common themes
- Executives understand compliance
- Don’t rely only on perimeter security
- Secure boot is critical to have in embedded device
- IoT device security parts: Harden device, Data protection, Secure communications, Visibility and Management
- Management and Visibiliyt very important
- Marketing name: Internet of Secure Things (TM)
- OT=Operational Security, ICS=Industrial Control Systems
- Metasploit has ICS modules – use them to test your devices
- Shodan finds devices connected to Internet
- Standards: IEC 62443 standard, CERT (SEI), CWE, BSI (Built Security In)

Trends in industry:
- Poor auditing and logging
- Strong safety but weak security
- Malware gets in and stays undetected for several months or years

11:05 Achilles Communication Certification, Pedro Fernandes at Wurldtech

The Achilles Communications Certification provides a guarantee to operators that industrial devices are robust and can maintain their primary functionality even when under attack.

- Level 1: An established industry benchmark for the deployment of robust industrial devices recognized by the major automation vendors and operators

- Level 2: Expansion of Level 1 Certification by employing more tests and more monitor pass/fail requirements

- Level1: most important functionality must work, less important can be sacrificed for that (for example turn off network for some time if it overloads device)

11:20: Use static code analysis for security review, Martti Viljainen at Nohau

Talk about CodeSonar solution, which is a source code and binary code analysis tool that performs a whole-program, inter-procedural analysis on C, C++, Java, and binary executables. Gnu chess analysis example:

My comment on why “Embedded devices are 15x more vulnerable than modern enterprose endpoints”:

Noadays modern company Windows PCs sit inside secured corporate network (firewall and maybe IDS), normally run security software (typicaly virus projection and firewall functionality) and OS in them is kep up-to-date with regular updates. Majority of embedded devices on the field run outdated software (they are rarely if ever updated, and even new devices can have in many  parrts very old software pakege in them) that have many know vulnerabilitied in them, and many devices are not designed for security in mind. Take any years old major embedded operating system, and you can be pretty sure that they have a series of network protocol vulnerabilities in their OS by today’s security standards! I have worked with many embedded operating systems over the years, so I know what is inside them… (I have worked with tested for example Embedded Linux, Android, uCOS II, PSOS, ThreadX, embedded Wndows, Windows CE, etc..).