At Industrial Control Security Con: Will hack IoT for Beer

In-brief: Cisco’s Marc Blackmer reports from the S4 Conference in Miami – one of the top gatherings of industrial control system security experts. Among the attractions this year: Justine Bone of the firm Medsec, the psychology of malicious insiders and a hackable “kegerator.”

What better way to start the year than with a conference in south Florida? January is the month for Digital Bond’s S4 Symposium in Miami Beach. This year’s event was the largest I’d seen in the last four years that I’ve attended, which is evidence of the growing importance of security for the Internet of Things (IoT), particularly as it relates to industrial control systems (ICS).

For the uninitiated, S4 is one of the premier ICS cybersecurity conferences in the world. Digital Bond are recognized as ICS cybersecurity consulting and research leaders, and this event attracts the top ICS cybersecurity researchers from around the world, including the ICS team within Cisco’s Talos group, who present their latest research. If there has been a major breach of critical infrastructure somewhere in the world, odds are the researchers who investigated it will be presenting their findings at S4.

Will hack (IoT) for beer

Now, I could tell you about the growth in attendance, the different simultaneous tracks on the main, technical, and sponsor stages (I presented on MUD and 1NTERRUPT this year), and the awesome and evolving ICS capture-the-flag (Cisco Talos placed second this year, thank you very much), all of which were quite cool. But first, let’s talk about hacking for beer. Yes, you read that correctly.

If you want to learn how to do security right, then you need to know how to break things – in a controlled environment, of course – like a CTF. And what’s more fun than learning by competing with friends and earning bragging rights? How about competing with friends, earning bragging rights, and having your hack result in an automated beer pour?

Enter the Cisco Talos Kegerator.

The Kegerator is a fridge, with actuators to control the beer taps, a wifi access point, router, a programmable logic controller (PLC), and a human-machine interface (HMI). It’s a self-contained, mobile, beer-dispensing industrial control system, and it was its own standalone CTF. If you can work your way through the vulnerability holes in the system to release one of the taps and pour a beer, you’ve won!

Only four people had managed to complete the challenge before S4 (one was subsequently recruited by Talos). And with only a four-hour window at S4, time became another obstacle. But considering we had some of the best and brightest in the ICS cybersecurity world attacking the Kegerator, we figured the odds were high that someone would get in, and that someone was Jason Larsen of IOActive.

Other highlights

Most of my time over the three days was spent taking in the main stage talks, and one of the many highlights for me was Dale Peterson’s on-stage interview of Justine Bone from MedSec. You may recall that MedSec made headlines around the world when they worked with an investment research firm to short the stock of a particular medical device manufacturer after MedSec found vulnerabilities in that manufacturer’s pacemakers and other devices. The entire episode has generated a good deal of debate in the cybersecurity world over where the line of responsible disclosure lies, what the ethical thing to do is when researchers feel they are up against an intransigent manufacturer, and whether this case has opened a Pandora’s Box.

Eric Shaw is a clinical psychologist and former intelligence officer. His presentation on detecting at-risk insiders was fascinating. For me, the psychological aspect of cybersecurity is slightly more interesting than the technical side of things. After all, humans are the ones using the technology and how we use those tools depends on our psychology. Remember Aldrich Ames? Dr. Shaw’s brief case study indicated that there were a number of evident risk factors that should have been apparent, if his supervisors knew what to look for. Seemingly innocuous words and statements, when combined with other information can be crucial in detecting insider threats.

The net of this is that ICS, and by extension IoT, cybersecurity is garnering more attention, and that’s a very good thing. I’m seeing a growing and more varied audience at events like S4 and The Security of Things, but we need to keep spreading the word. When we start seeing attendance pushing the 1,000 mark, we can starting gaining some confidence that we’re making headway rather than just trying to stay above water.