Share this page!

Robert M. Lee Profile picture
Twitter logo
11 Feb, 9 tweets, 2 min read
The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS.
The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively
There’s a lot of “insecure by design” systems in ICS. Meaning most of the things you want to do you don’t need a vulnerability or exploit to do.

Also a lot of IT security is system or data security, protect the system don’t let folks get root, encrypt the data, etc. ICS is not
ICS is often a system-of-systems security issue. Product security when you’re mainly a Windows shop adds a ton of value. Product security when you integrate multiple systems into a complex process with a focus on the physics can have value but not the same level.
Or said differently: what was the system of systems designed to do and what is allowed by the physics? The adversary is confined to that regardless of software vulnerabilities. But they also have all of that available to them, often without exploits.
In Ukraine 2015 as an example folks were obsessed with BlackEnergy3. It was a good tool, but it was leveraged in the IT environment not the ICS. The actual attack was just the adversary learning how to manipulate the distribution management system. No exploits or malware required
That does not mean vulnerabilities are pointless though. Many are. Not all. E.g. a vulnerability that introduces new functionality, can get you access to the ICS (border systems like historians), or can cause loss of control or view - those can definitely matter.
It just means the value proposition of patch management is not the same in ICS as IT, it’s a good control but often not one of the top ones. In @DragosInc’s research we find that roughly 64% of the ICS vulns (2019 data) were not really useful at all nor worth your attention.
So while I appreciate that moving to Windows 10 over Windows 7 has a lot of benefits. It was irrelevant in this specific attack, further it likely isn’t even a top 5 security control for what’s necessary to help that org out. Yet the focus on “zomg outdated systems” happens

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Robert M. Lee

Robert M. Lee Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @RobertMLee

Robert M. Lee Profile picture
11 Feb
Yesterday in the Congressional hearing on homeland cybersecurity @C_C_Krebs and @DAlperovitch very kindly called out @DragosInc as a good example/company to work with in ICS/OT. Not “buy Dragos stuff” but “here’s a good example of an approach” and I just want to say thanks
We’ve been afforded a really cool place in the community to be allowed to focus on ICS/OT and have a ton of support from around the community.

What mostly stood out to me on this topic is that both recognized the unique approach required for ICS (Dragos or not)
Enterprise security is very important. And there’s lots to learn from them for ICS. But ICS security is different especially when dealing with physical systems. Understanding the unique risks, systems, etc all matter but most important is understanding the mission and priorities
Read 5 tweets
Robert M. Lee Profile picture
10 Feb
In my career I have found the loudest naysayer voices find themselves in echo chambers to make themselves feel like thought leaders but are often well in the minority and simply not part of where the real work happens, ostracized by the do’ers for being heroes in their own mind.
My advice to the folks who find themselves trapped in those echo chambers is to step out of the social media bubble when necessary and look into the much larger community and partake in it and move the needle forward. In all corners of this infosec industry you’ll find the do’ers
It’s appropriate to have informed discussion about what the best paths forward are. But if you find yourself critiquing more than working - ask yourself what path you’re on. Everyone’s biases, that’s ok, but make sure you’re building up more than tearing down or you’ll be alone
Read 4 tweets
Robert M. Lee Profile picture
20 Dec 20
I know there’s a desire to calm people down and have some confidence, but I would advise anyone pretending they have an understanding of the scope of the SolarWinds compromise to dial it down a bit. It’s going to take time, could be more accesses, and our collection isn’t great.
E.g. “right now there are only $X orgs that are impacted” is based on very limited visibility with an expectation we understand all the compromise routes and adversary command and control capabilities. We simply don’t know that to be true and won’t in the first couple weeks
Should average citizens be freaking out? No, this isn’t war stop the hyperbole. From a national security perspective though the President and Congress must have confidence in the integrity of its critical and defense critical sites. We’re no where near “we understand this” yet.
Read 5 tweets
Robert M. Lee Profile picture
23 Jun 20
Fun to be on this episode of @DarknetDiaries - the heroes of the story IMO are Julian & @naserdossary who are interviewed as well and were incident responders on the case. Credit to to the @DragosInc intel team for their hard work too (special thx for @ReverseICS @mayahustle)
I think the story really got carried away and at some point Saudi Aramco was named as the victim when in reality they were the first responders helping out their community. Kudos to them and the other unsung heroes. Lots of teams come together to help in such events
I’m thankful Julian and @naserdossary have since joined the Dragos team. Our team is better for having them on it.
Read 4 tweets
Robert M. Lee Profile picture
3 Jun 20
I’ve had a few folks reach out to me because of some of my employees’ comments in the media and on their social media apparently expecting me to censor them or take some action. Some general end of day stressed thoughts: (1/x)
First, I’m prior military, please do not play the “support our troops” card on me. Our military has a wide set of diverse views not supporting one position or party. Many support military usage here and many sont and are following lawful orders but ready to refuse unlawful ones
Second, our customers are damn lucky my firm has divsere views. Lack of diversity is the enemy of success. Diversity isn’t a PC topic to us, it’s not only morally right, but it is selfishly necessary to counter strategic well funded adversaries in highly ambiguous scenarios.
Read 6 tweets
Robert M. Lee Profile picture
20 May 20
The story of hardware backdoors from China found in an electric transformer at a US utility is continuing to gain attention; but it doesn’t deserve to. There has only been 1 source of the claim who doesn’t even work at a utility and he has provided 0 evidence.
The story especially with its supply chain angle is sensational and touches on long held fears in DC and elsewhere. But their fears that have never manifested. So there’s folks who really want to believe this is true. But there’s no evidence of it now nor has there been.
Joe (the individual making the claim) is a really good engineer and has been very important to the development of the ICS security community, but he often has sensation claims that turn out to be very inaccurate, unsupported, or twisted non maliciously for other purposes.
Read 8 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @RobertMLee has new unrolls!

Check out other threads from @RobertMLee!

Read all threads by @RobertMLee