iPad Air 2, Samsung Galaxy Tab A, or $350 Off with SANS Online Training Right Now!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume IX - Issue #97

December 11, 2007


If you work on security of control systems in the critical infrastructure, you'll want to see the first story today and the new agenda for the January workshop in New Orleans (Jan 16-17). The agenda is at the end of this issue, and it has completely changed, in part because of the regulatory change reported in today's first story. This will be the best meeting held to date on security of control systems because it will provide information unavailable anywhere else: starkly illuminating the actual threat, identifying which mitigations actually work, and providing a survival kit for practitioners. The program is posted at http://www.sans.org/scada08_summit

Alan

PS The SCADA and Process Control Security meeting will be held during the last, large winter cyber security training conference. Information on the training courses at: http://www.sans.org/info/15471

TOP OF THE NEWS

FERC Trumps NERC CIP Standards: To Require Reporting on Actual Progress on Securing Systems
Case Studies of Success in the War of Cybercrime
Memo Indicates China Link to National Lab Network Intrusions
Autonomy Threatens Legal Action Over Vulnerability Disclosure

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS
Alleged Wireless Hijacker and Extortionist Arrested
WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
Russian Chat Bots Gather Information
November Skype Update Fixes Remote Code Execution Flaw
MP4 Codec Flaw Affects Media Players
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Tricare Europe Customers Notified of Data Security Breach
Bank Customer Data on Stolen Laptop
Thieves Steal Data Center Equipment
MISCELLANEOUS
Australian Man Allegedly Posted Phony Attack Warning
Fasthosts Changes Customer Passwords in Wake of Breach
LIST OF UPCOMING FREE SANS WEBCASTS
AGENDA FOR THE SCADA AND PROCESS CONTROL SUMMIT


*********************** Sponsored By ArcSight, Inc. *********************

Free Whitepaper: ArcSight Perspectives on Risk

Cyber attacks. Incident management. Legal issues. Security trends. The subjects are diverse, but the one powerful message is that security is the most important issue your company faces. Learn to make better decisions about risk management with this comprehensive collection of articles. Brought to you by ArcSight, the leader in compliance and security management.
http://www.sans.org/info/20641

*************************************************************************

TRAINING UPDATE
Where can you find Hacker Exploits, Secure Web Application Development, Security Essentials, Forensics, Wireless, Auditing, CISSP, and SANS' other top-rated courses?
- - Washington DC (12/13-12/18): http://www.sans.org/cdi07
- - New Orleans (1/12-1/17): http://www.sans.org/security08/event.php
- - San Jose (2/2 - 2/8): http://www.sans.org/siliconvalley08/event.php
- - Phoenix (2/11 - 2/18) http://www.sans.org/phoenix08/event.php
- - Prague (2/18-2/23): http://www.sans.org/prague08
- - and in 100 other cites and on line any-time: www.sans.org

*************************************************************************

TOP OF THE NEWS

FERC Trumps NERC CIP Standards: To Require Reporting on Actual Progress on Securing Systems (11 December 2008)

The Federal Energy Regulatory Commission (FERC) issued notice that it intends to immediately issue a directive requiring all generator owners, generator operators, transmission owners and transmission operators registered by NERC (North American Electric Reliability Corp.) to provide information detailing the actions they have taken or intend to take to protect against key cyber vulnerabilities.
-http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-21569682.htm
[Editor's Note (Paller): This is a stunning development. NERC's cyber security standards were coming to be seen as almost totally ineffective. FERC's action will immediately shift industry action from NERC's focus on compliance to a new focus on actually improving security and proving the work is done. Kudos to Chairman Langevin and Ranking Member McCaul of the House Homeland Security Subcommittee on Emerging Threats and Cyber Security whose recent hearings illuminate the problems at NERC. Without their leadership, and the active efforts of Mike Peters at FERC, this important action would not have happened until after a major catastrophe. How to navigate the new rules will be a key topic at the SCADA and Control System Security Workshop in January in New Orleans. See:
-http://www.sans.org/scada08_summit]

Case Studies of Success in the War of Cybercrime (December 10, 2007)

A SANS Consensus Document details measurably successful projects that US government agencies have undertaken to implement the National Strategy to Secure Cyberspace. The projects included have had measurable, proven success in preventing attacks on US critical infrastructure, reducing US vulnerability to cyber attacks and minimizing the damage from attacks that do occur. The paper was posted on December 10 for a 29-day comment period.
-http://www.sans.org/fedsuccesses/
[Editor's Note (Honan): Too often the only stories relating to information security we read are bad news stories. This paper is a good read and provides some interesting insights, guidelines and indeed case studies that could strengthen your own business case for more resources. ]

Memo Indicates China Link to National Lab Network Intrusions (December 8 & 10, 2007)

A confidential US Department of Homeland Security (DHS) memo obtained by the New York Times indicates that the recently disclosed attack on a computer system at Tennessee's Oak Ridge National Laboratory may have come from China. The memo does not say that the attack came from the Chinese government or even from Chinese citizens. Attackers appear to have used phishing emails with malicious attachments to gain access to the computer system. The laboratory says the attackers did not access any classified information; they did infiltrate a database containing personally identifiable information of laboratory visitors. The intruders may have attempted to access networks at other national labs and institutions as well.
-http://www.nytimes.com/2007/12/09/us/nationalspecial3/09hack.html?ei=5088&en
=2ce50e252c1ad4ef&ex=1354856400&partner=rssnyt&emc=rss&pagewante
d=print

-http://www.securityfocus.com/brief/641
[Editor's Note (Pescatore): Data by managed security service providers typically shows 3-5 times as many attacks originate in the US as in China. Hyping up the source of the attack makes for breathless headlines but ignores the real security problems - the glaring vulnerabilities routinely left open. If you close the vulnerability, it doesn't matter if the attackers are bored teenager or cyber-criminals - they aren't getting in. ]

Autonomy Threatens Legal Action Over Vulnerability Disclosure (December 6, 2007)

Autonomy has threatened Secunia with legal action if Secunia goes ahead with its plan to publicly disclose a vulnerability that affects some versions of Autonomy's KeyView Software Development Kit (SDK). Autonomy patched the flaw nine months ago, but maintains that a public disclosure would confuse people. Secunia had contacted Autonomy to ask which versions of its SDK were vulnerable to the flaw. The same hole exists in IBM's Lotus Notes; it has only recently been patched. Another letter from Autonomy also threatened legal action if Secunia had obtained Autonomy's source code illegally.
-http://www.channelregister.co.uk/2007/12/06/autonomy_secunia_dust_up/print.html
-http://www.securityfocus.com/brief/640
[Editor's Note (Schultz): Developments such as this one are bound to become more commonplace in time. The announcement of a vulnerability in a vendor product, especially a serious one, by an entity other than the vendor can substantially affect customer relations, public perception of the product, and more.]


************************* Sponsored Links: ***************************

1) ALERT: "How a Hacker Launches a LDAP Injection Attack Step-by-Step"- White Paper http://www.sans.org/info/20646

2) FREE Webcast "Network Visibility-The Key to PCI Compliance." Learn how to get the security, visibility, accountability and measurability necessary to achieve PCI compliance. http://www.sans.org/info/20651

3) Clean Up Your Firewall Rules of Clutter. Maximize Security. Optimize Performance. Free AlgoSec White Paper. http://www.sans.org/info/20656

*************************************************************************

THE REST OF THE WEEK'S NEWS

LEGAL MATTERS

Alleged Wireless Hijacker and Extortionist Arrested (December 10, 2007)

Police in Australia have arrested a man who allegedly hijacked other people's wireless networks to send extortion emails. The threatening messages were manipulated so they appeared to come from someone other than the true sender. The man has allegedly hijacked at least 12 different wireless home networks. Police were able to arrest the man after he made demands that money be delivered to him in a certain location. He has been charged with attempted extortion and sending phony messages.
-http://www.news.com.au/heraldsun/story/0,21985,22898696-5005961,00.html

WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES

Russian Chat Bots Gather Information (December 10, 2007)

An artificial intelligence program circulating in Russian chat forums flirts with human users in an attempt to get them to divulge personally identifiable information. People have fallen prey to CyberLover because it is difficult for them to tell that they are not talking with a real person. The program can create up to 10 relationships in 30 minutes, and assembles dossiers for each relationship that include names, contact information and photographs. So far, CyberLover has just been spotted in Russian chat rooms, but others are urged to use caution while chatting.
-http://www.zdnetasia.com/news/security/printfriendly.htm?AT=62035388-39000005c
[Editor's Comment (Northcutt): In Alan Turing's defense, when he wrote "Computing Machinery and Intelligence" he had no possibility of envisioning a time of such universal access to computing and the Internet, and that computing programs would be able to interact with humans using computers that had double digit IQs. Where does this end? In the remake of Guess Who's Coming to Dinner, will Dr. Prentice be a Second Life Avatar? Say it ain't so. Use a bit of caution before repeating this news story to people you want to respect you, I was not able to find the source document and most of the posts appear to be picking up from other news stories. I did find one blog with a screenshot that is allegedly the tool, but to fall in love with it, you must think in Russian. URLs further explaining my somewhat cryptic note are shown below:
-http://www.webuser.co.uk/news/news.php?id=166536
-http://weblogs.sqlteam.com/markc/archive/2004/06/24/1669.aspx
-http://loebner.net/Prizef/TuringArticle.html
-http://en.wikipedia.org/wiki/Guess_Who%27s_Coming_to_Dinner]

November Skype Update Fixes Remote Code Execution Flaw (December 6 & 10, 2007)

A Skype update released on November 15, Skype 3.6.0.216, addressed a buffer overflow flaw in the Skype4COM URI handler that could allow remote code execution. Attackers could exploit the flaw through maliciously crafted websites. The vulnerability is known to exist in Skype 3.5.0.239, and may also affect earlier versions. A Skype spokesperson has apologized for the "unintentional communication oversight" of not notifying customers of the fix sooner.
-http://www.theregister.co.uk/2007/12/10/skype_stealth_update/print.html
-http://www.zerodayinitiative.com/advisories/ZDI-07-070.html
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9052118&source=rss_topic17

MP4 Codec Flaw Affects Media Players (December 8 & 10, 2007)

A December 8 alert from Symantec warned that exploit code for a flaw in an MP4 codec had been released. The flaw could be exploited to execute arbitrary code. The exploit reportedly works against Windows Media Player (WMP) 6.4, and it is possible that other versions are affected as well. The vulnerable codec is present in WMP, WMP Classic, and Winamp Media Player. There is presently no patch available for the vulnerability. Symantec's alert urged users to remove the codec until fixes are available.
-http://www.computerworld.com/action/article.do?command=viewArticleBasic&arti
cleId=9051959&source=rss_topic17

-http://www.theregister.co.uk/2007/12/10/3ivx_mp4_vuln/print.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

Tricare Europe Customers Notified of Data Security Breach (December 10, 2007)

Approximately 4,700 households that submitted health insurance claims through the Tricare Europe office are being notified that their personally identifiable data, including Social Security Numbers (SSNs), names, dates of birth, and medical diagnoses associated with the claims were possibly compromised. The breach affects claims made since 2004; many of those affected no longer live in Europe. Tricare learned of the breach on November 7 from Electronic Data Systems (EDS), which maintains the breached claims website for Tricare. Letters were sent to affected households on December 4. EDS has made changes to its system to enhance security. "TRICARE management Activity is a Department of Defense program that administers the healthcare plan for the Uniformed Services, retirees, and their families."
-http://www.airforcetimes.com/news/2007/12/military_tricarebreach_071207w/
-http://www.tricare.mil/TAOeuropeBreach.cfm
-http://www.tricare.mil/pressroom/news.aspx?fid=350

Bank Customer Data on Stolen Laptop (December 7, 2007)

A laptop computer stolen from a Citizens Advice Bureau employee's car in Ireland contains personally identifiable information belonging to as many as 60,000 individuals. The data include bank account numbers, National Insurance numbers, names, addresses and dates of birth of people who contacted CAB for advice; the data were encrypted. The chief executive of Ireland CAB has apologized to affected customers. The data pertain to people from the Belfast area and go back four or five years.
-http://www.guardian.co.uk/uklatest/story/0,,-7135536,00.html

Thieves Steal Data Center Equipment (December 7 & 10, 2007)

Thieves dressed as police told employees at a Verizon data center in Kings Cross in London that they were looking into reports of people on the roof of the building. The thieves then tied up the employees and stole computer hardware from the facility. The data center is used by a number of financial institutions.
-http://www.theregister.co.uk/2007/12/07/verizon_datacentre_robbery_investigation
/print.html

-http://news.hereisthecity.com/news/business_news/7338.cntns
-http://www.zdnet.co.uk/misc/print/0,1000000169,39291411-39001093c,00.htm
[Editor's Note (Pescatore): Even in credit card fraud, losses due to physical attacks still outweigh those due to cyber-attacks. If you are outsourcing hosting or data centers, make sure the provider has paid attention to physical security. The BITS group has put together a decent set of assessment guidelines for outsourcers - see
-http://www.bitsinfo.org/FISAP/index.php]

MISCELLANEOUS

Australian Man Allegedly Posted Phony Attack Warning (December 9, 2007)

A Melbourne, Australia man has been identified as the culprit in a hoax blog posting that sent Los Angeles police on a manhunt. Jarrad Willis allegedly posted a warning of a shooting at a shopping center in Beverly Hills; police, concerned about a copycat attack just days after the shooting at a mall in Omaha, Nebraska, took the warning seriously. In all, police estimate the effort cost them US $100,000; they plan to seek compensation. Willis has been arrested and his computer seized.
-http://www.smh.com.au/news/web/web-threat-from-melbourne-spooks-lapd/2007/12/08/
1197135325393.html

Fasthosts Changes Customer Passwords in Wake of Breach (December 6 & 7, 2007)

UK web hosting company Fasthosts has apologized to its customers for a situation that left many without service. A security breach prompted Fasthosts to change all its users' passwords; new passwords were sent through the regular mail. Customers have been unhappy because they could not update their sites until they receive the new passwords. After becoming aware of suspicious activity related to some customer accounts, Fasthosts imposed the mandatory password change on customers who did not change their passwords after they were urged to do so following a security breach in October.
-http://www.vnunet.com/vnunet/news/2205313/fasthosts-apologises-customers
-http://technology.timesonline.co.uk/tol/news/tech_and_web/article3007298.ece

LIST OF UPCOMING FREE SANS WEBCASTS



Internet Storm Center: Threat Update
WHEN: Wednesday, December 12, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich and John Weinschenk
-http://www.sans.org/info/20062
Sponsored By: Cenzic

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

Internet Storm Center: Threat Update
WHEN: Wednesday, January 9, 2007 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Johannes Ullrich
-http://www.sans.org/info/20067
Sponsored By: Core Security

This monthly webcast discusses recent threats observed by the Internet Storm Center, and discusses new software vulnerabilities or system exposures that were disclosed over the past month. The general format is about 30 minutes of presentation by senior ISC staff, followed by a question and answer period.

SANS Special Webcast: Things That Go Bump in the Network: Embedded Device Security
WHEN: Thursday, January 24, 2008 at 1:00 PM EST (1800 UTC/GMT)
FEATURED SPEAKER: Paul Asadoorian
-http://www.sans.org/info/20087
Sponsored By: Core Security

Embedded devices come into your network and appear in many different forms, including printers, iPhones, wireless routers and network-based cameras. What you might not realize is that these devices offer unique opportunities for attackers to do damage and gain access to your network - - and to the information it contains. This webcast will review known embedded device vulnerabilities and cover how these vulnerabilities can be used to gain control of devices, networks, and data - and, more importantly, what can be done about it.

THE 2008 SCADA AND PROCESS CONTROL SUMMIT


-http://www.sans.org/scada08_summit/
">
-http://www.sans.org/scada08_summit/


Ten Questions for the Summit
1. What is the actual threat picture for control systems users today? Who are the attackers? What have they already done? What can they do?
2. Exactly how do attackers penetrate the defenses that have been established by most control system users?
3. What techniques are the most advanced control systems users implementing to mitigate the threat?
4. What are the principal vulnerabilities in control systems and how should they be prioritized for mitigation?
5. What are the most effective ways to mitigate the Aurora vulnerability for large and small asset owners? (This session is open to full time employees of critical infrastructure asset owners; proof of employment is necessary.)
6. Which SCADA security research projects have shown useful results? How can asset owners put those findings to work? 7. Which control system vendors have made the most progress on implementing the new standards for secure configuration of their products?
8. How can you participate in private (non-governmental) information sharing activities with other asset owners in your industry?
9. What tools have governments developed that makes security of control systems more effective and efficient?
10. How can utilities educate their Public Utility Commissions so that investments in cyber security may be included in the rate base.

Plus you'll receive the Control System Security Survival Kit consisting of materials that you can use to educate your executives and help plan and implement a control system security program.

The organizing committee

Mike Assante, Rita Wells, and Gary Finco of Idaho National Laboratories
Cheri McGuire and Vishant Shah, of the US Department of Homeland Security
Ciaran Osborn, UK Center for the Protection of National Infrastructure (CPNI) in the United Kingdom
Hank Kenchington, US Department of Energy
Will Pelgrin, New York State and the Multi-State ISAC
Mark Weatherford, CISO, State of Colorado
Marc Sachs, Verizon
Alan Paller, SANS Institute

The agenda

SANS Process Control and SCADA Security Summit - Agenda
Tuesday, January 15
5pm - 8pm
Welcome Reception and Registration
Wednesday, January 16
7:30am - 8:30am
Breakfast
8:30am - 9:45am
Keynote Panel - How real is the threat and how is it changing? (Jason Larsen, IOActive, Alan Paller, SANS Institute; a third speaker)

This panel provides three realistic and complementary views of the cyber threat to control systems and the critical infrastructures they manage. First you will hear the newest information that governments have learned about the threat actors and their goals and methods. Second you will see how the current wave of extortion has hit utilities through compromises of control systems. Finally you will get a clearer picture of the future of cyber attacks on control systems from someone who has listened in on what the cyber criminal community is discussing on their private channels and what exploits they are trading.

9:45 am - 10:00am
Break

10:00am - 11:00pm
Keynote Panel: Penetration Testing: How the Attackers Get Through Your Defenses (Jeff Fay, Patch Advisors; Jonathan Pollet, Industrial Defender; and Jason Larsen, IOActive)

In 2007, executives in critical infrastructure industries (especially electric utilities) have demanded independent assessments of how well their systems and networks can withstand cyber attacks. This panel includes three of the people most often called in to test those systems to determine whether they can be penetrated and how. These expert penetration testers will help you see exactly where the holes are and how they can bypass your defenses.

11:00 pm - 12:00 pm
Keynote Panel: Asset Owners: How To Implement Security Effectively Without Impacting Reliability: Lessons from the Trenches at BP, Southern Co., and PacifiCorp. (Paul Dorey, Larry A. Spoonemore, Patrick Miller)

Control system owners sometimes claim it is impossible to keep the systems patched, to filter traffic, to turn off unneeded services without breaking the systems. In this panel you will learn that much of that talk is often wrong. Led by the Chief Information Security Officer of BP, this panel demonstrates leadership by example, organizations that have found ways to keep patches up to date and implementing other processes needed to improve security, all without impacting reliability.

12:00 pm - 1:15pm
Lunch break

1:15 pm - 2:15pm
The Most Critical Vulnerabilities in Control Systems: Findings from the National SCADA Test Bed and the Control Systems Security Project (Rita Wells, Idaho National Laboratory)

Extensive testing of control systems from more than a dozen vendors has uncovered significant numbers of vulnerabilities. In this session INL's Rita Wells will show you each of the most important vulnerabilities and will tell you which ones could lead to the most damage if exploited and are hardest to correct. She'll also show you what can be done about each of them.

2:15 pm - 3:15 pm
Information Sharing in Critical Infrastructure Security: How electric utilities in the West have found ways to work together to share experiences and best practices? (Stacy Bresler, Pacificorp, and Seth Bromberger, PG&E)

Organizations that are part of the critical infrastructure often find themselves on their own in cyber security. They get little they can use from government and their peers don't share what they are learning. But a group of utilities in the Western United States has solved that problem with an innovative organization that has an enviable record of sharing very sensitive information and making security easier for all its members. Two of the participants in that group with tell you about their experiences and share the formula that made it successful. They will also be available to help you plan similar organizations in your industry and your region of the country or world.

Also how can smaller producers protect their systems with help from the larger utilities? The PGE Testbed.

3:15pm - 3:30pm
Break

3:15pm - 3:45pm How can you build partnerships between control system engineers and IT security professionals? (Seth Johnson of Santa Clara Valley Water District)

When IT Security and control systems engineers do not work together, the company suffers. This session presents a model that worked in one utility to bring the two groups together and make sure they were supporting one another.

3:45pm - 5:00pm
The most valuable research projects in SCADA security (Ulf Lindqvist, SRI International, Sean Kujawa, Shell Global Solutions; David Nicol, University of Illinois at Urbana-Champaign; Tom Stogdale, Matrikon; Michael Kinder, Technical Support Working Group (TSWG); Vincent Berk and George Cybenko, Process Query Systems LLC)

This session consists of five research briefs: (1) Intrusion Detection Technologies within Process Control. (2) The TCIP Testbed for Power Grid Security. (3) Commercialization of the RiskMAP Technology. (4) SCADA Cyber Attack Alert Tool (CAAT). And (5) Temporal-Structural Security Event Correlation with PQS. The sessions are very short but provide you with sufficient information to know which longer briefing you want to attend in the evening session beginning at 6:30 PM. (Night life in New Orleans doesn't start until later so you have time for both.)

5:00pm - 8:00pm
- - Vendor Hospitality Suites
- - Birds of a Feather Sessions for Oil & Gas, Water, and Electric Power Generation and Distribution

6:30pm - 9:00pm
Research Presentations expanding on the late afternoon briefings and allowing ample time for discussion.

Thursday, January 17
7:30am - 8:30am
Breakfast

8:30am - 9:30am A SPLIT SESSION

Session A: Mitigations for the Aurora Vulnerability (exclusively for full-time employees of companies and government agencies in the critical infrastructure) (Tim Roxey, Constellation Energy; Seth Bromberger, PG&E; and Mike Assante, INL))

Tim Roxey has been the leader among US asset owners in identifying and validating mitigations for the Aurora vulnerability highlighted on CNN. In this briefing he provides specific mitigation strategies for both small and large organizations. If you work in the critical infrastructure and have an IT security or control system engineering role, this is a very important session. Tim will be assisted by Seth Bromberger and Mike Assante who have also played key roles in development of mitigation strategies.

Session B: The Three Faces of Cyber Crime: who is attacking, how they are getting in, what they are doing once they get in, and the innovative programs that have been developed to stop them. (Alan Paller, SANS)

Regularly updated versions of this briefing have been the highest rated presentations at every conference in which they were presented in 2007. The insider's view you'll hear in this presentation is not available from any other speaker outside of classified settings.

9:30am - 9:50 am
Break

9:50am - 11:00am
We're From the Government and We're Here to Help You (Cheri McGuire,US Department of Homeland Security; Hank Kenchington, US Department of Energy; Ciaran Osborn, UK Centre for Protection of National Infrastructure; Keith Stouffer, US National Institutes of Standards and Technology

Governments have spent hundreds of millions of dollars on cyber security and have many products to show for their investments. In this panel leaders of the US and UK government cyber security efforts will show you what they have accomplished and point you to specific resources and tools that are of particular value to control system asset owners in the critical infrastructure. As part of this session, Keith Stouffer will also share information and answer questions about NIST's new publication, 800-82, that he helped author, called "Guide To Industrial Control System (ICS) Security."

11:00am - 12:00noon
The Revolution in the CIP Standards for Control Systems Security In Electric Utilities: FERC's new mandate and how best to navigate the changing landscape (Tim Roxey, Constellation Energy; plus a consultant who implements CIP security for public utilities, and a representative from NERC has been invited)

The CIP standards, under intense Congressional scrutiny in the fall of 2007, have come up short, being characterized as "inadequate for protecting critical national infrastructure" according to a NIST-commissioned technical review). Now (on December 11, 2007) the FERC has changed the rules. This session will help you understand what went wrong originally, what FERC has done, and how best to meet the requirement so you actually protect your systems.

12:00pm - 1:15pm
Lunch

1:15 pm - 2:15 pm The Updated Control System Procurement Standards: How to buy control systems with security baked in. (Mike Assante, INL; Will Pelgrin, New York State; Ciaran Osborn, UK CPNI)

Utilities all over the world have adopted part or all of the new control system security procurement standards sponsored by the Department of Homeland Security and developed by Idaho National Labs. In this session you'll hear about he five new categories that have been added: Remote Access (Dial-up Modems; Dedicated Line and Dial-up Modems; TCP/IP; Web-based Interfaces; Virtual Private Networks; Serial Communication Security); Physical Security (Physical Access; Physical Perimeter Access; Manual Override Control; Intra-perimeter Communications); Network Partitioning (Network Devices; Network Architecture); and Wireless Technologies (Bluetooth; Microwave and Satellite; 802.11; ZigBee) They'll also discuss advances in worldwide adoption - especially in Europe and directions that the standards will go in the future.

2:15pm - 3:15pm
How To Upgrade The Security Of The Control Systems You Already Own? (Joe Bucciero, KEMA; Paul Skare, Siemens, and one other control system vendor to be named)

In this session innovative the largest control system integrator joins with leading vendors to show how you can use tools and techniques available today to implement the security improvements detailed in the Scada procurement standards. They'll share the innovations they have added to their product lines and answer questions about what is and is not possible today.

3:15pm - 3:30pm
Break

3:30 - 4:30
Selling Security to Top Management and to Public Utility Commissions and the SCADA Security Survival Kit (The Conference Faculty and a Public Utility Commission manager)

This session attempts involves a large amount of audience interaction to try to answer two of the more difficult questions facing utility managers interested in improved cyber security. It looks first at the work that has been done, particularly by the Australian government, in how to gain top management support for cyber security improvements. Then it turns to the tougher question of how to get the Public Utility Commissions to include security in the rate base so that security costs can be recovered. Finally the session closes with a review of the contents of the SCADA Security Survival Kit.

Register now at
-http://www.sans.org/scada08_summit/
">
-http://www.sans.org/scada08_summit/



=========================================================================

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of High Tower Software and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC).

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Johannes Ullrich is Chief Technology Officer of the Internet Storm Center.

Howard A. Schmidt served as CSO for Microsoft and eBay and as Vice-Chair of the President's Critical Infrastructure Protection Board.

Ed Skoudis is co-founder of Intelguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Tom Liston is a Senior Security Consultant and Malware Analyst for Intelguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Bruce Schneier has authored eight books -- including BEYOND FEAR and SECRETS AND LIES -- and dozens of articles and academic papers. Schneier has regularly appeared on television and radio, has testified before Congress, and is a frequent writer and lecturer on issues surrounding security and privacy.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Mark Weatherford, CISSP, CISM, is the Chief Information Security Officer for the State of Colorado.

Alan Paller is director of research at the SANS Institute

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Rohit Dhamankar is the Lead Security Architect at TippingPoint, a division of 3Com, and authors the critical vulnerabilities section of the weekly SANS Institute's @RISK newsletter and is the project manager for the SANS Top20 2005 and the Top 20 Quarterly updates.

Koon Yaw Tan is Assistant Director at Monetary Authority of Singapore (MAS) and a handler for the SANS Institute's Internet Storm Center.

Gal Shpantzer is a trusted advisor to several successful IT outsourcing companies and was involved in multiple SANS projects, such as the E-Warfare course and the Business Continuity Step-by-Step Guide.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Roland Grefer is an independent consultant based in Clearwater, Florida.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/