The Birds, the Bees, and the CVEs: Understanding Novel Vulnerabilities in Critical Infrastructure

all right good morning besides Las Vegas hang on I've got a script so good morning SL after afternoon and welcome to besides Las Vegas Proving Ground underground we're Proving Ground this morning I feel with something okay um welcome do you want to come and grab a seat we are live on the internet please keep your clothes on please really do that it's early and I've only just eaten okay so we're opening proceedings today with a man who was a pun not a Pun It's a pun a yes I was going to make up a fun fact about Ian dies but he's you are the fun fun I'm already fun so you are very fun you're coming a little bit to the mic

just a little bit then um cool cool so your talk is well it's on the screen but for those of you who'd like me to read it Birds the bees and the cve so um quick couple of things got to thank sponsors because they're amazing Diamond sponsor Adobe Gold sponsors uh prism cloud semra Blue C track 22 Dr one I was only supposed to say three of these but thank you to all of them uh it's their support along with the other sponsor donors and volunteers that make this event possible um please turn your phones off it's just kind of polite um and we're not underground so I think you can you can take photos you right with photos um

but please just don't take photos of random people without asking them Ian are you good to go my friend excellent over to you all right thank you so much for that fantastic section so again title of my talk is the birds the bees and the cves or understanding critical vulnerabilities to critical infrastructure um my name is Ian de so I'm with the United States cyber security and infrastructure Security Agency um specifically why this is for the birds bees and the cves is because when a security researcher and a product security team love or hate each other that much that is how a cve is born um you may be noticing throughout my presentation there are many many St

images where in other terms the St is what delivers babies and this way um a a little bit acts like the stor where we're delivering cves so a little bit about me so who am I so I'm Ian dies um I'm a vulnerability analyst that specializes in the coordination and the responsible and reasonable disclosure of industrial control systems and other vulnerabilities that affect critical infrastructure um I'm also currently serving in a the imagination Fellowship um which is a leadership development program within my agency um and that is the name of the agency that I work at the cyber security infrastructure Security Agency also known as sza all right so first I'm going to go ahead and

talk a little about why am I why am I here talking about vulnerability disclosure um So within this talk I really could have talken about how s's mission is to reduce the number of vulnerabilities to crtical critical infrastructure and to the federal government I could be also talking about how we're going to be trying to engage with different stakeholders to be able to get rapid information out to different stakeholders but I'm primarily here going to be talking about vulnerability disclosure as well as coordinated vulnerability disclosure and I've got a few open answered open-ended questions on why so when I originally looked at in textbooks and certifications trying to find more information on vulnerability disclosure guess what I found nothing when I went

and I actually gave a presentation to some of some students about this particular like how are cves born what did I learn nothing they didn't know a thing what about even before I started I've been within this role for about three years now what did I know about coordination vulnerability disclosure how does this process work did I know nothing so really quick if someone has a couple quick answer why why do you think the government discloses vulnerabilities just quick raise a hand beer yep so so we can't use it all right so you can't use the money who who said that and was right and just one one more just one more who was that

yep you yeah so that's actually another way so um and if you can be able to get a lovely s sticker package thank you so much was that that was you they Merry Christmas um so one thing that's important on why we're trying to so my take as well is one of the reasons why we want to make sure that we disclose vulnerabilities we want to make sure they're public so people can understand what the risk is of these specific vulnerabilities if things remain behind pay walls or if they're not disclosed guess what the vulnerability still exists just because there isn't a CBE ID or a cbss score associated with it still means the vulnerability is still there

um also one of scissor responsibilities is that we are actually a cve numbering Authority so we will have more responsibilities over industrial control system medical devices and Federal Federal networks um so a few things just to kind of set up the backdrop a little bit so there is a specific definition of what of how the US government sees what a vulnerability is I'm not going to read it I assume most folks can be able to read this um also if you were here yesterday so Josh Corman talked about pres presidential policy directive 21 a little bit these are some of the authorities that we have be able to work with in critical infrastructure and federal government on how we're able to

manage the risk and straighten strengthen the resilience of nation's infrastructure we're able to reduce vulnerabilities and be able to hasten response so I'm going to talk a little bit specifically within the context of vulnerability disclosure on how we're able to hasten that response um so there's different I still stand so this is a very a bird's eye view if you will of some of the of how we are able to conduct our Pro processes there's ISO standards behind this the c c coordination Center has written a fantastic guide but this is a very quick quick and dirty for those folks that might not have heard this before um so the first phase is this is where there's

going to be the vulnerability that's discovered whether it's by accident whether it's through research either way that information is there there's some sort of weak there is some sort of weakness to that particular software or Hardware that's documented and is shared um so that would be where we'd go into the coordinated disclosure phase um and at that point we need to there's validation of that vulnerability whether one researcher finds it in an isolated environment needs to go to that product security team to make sure that yes they are seeing what is true yes this is truly a vulnerability um one of the things behind that coordination as well is um a lot of times it's not a handshake um a

lot of times people are reaching out with a hand and they're getting a lot they're trying they're getting threatened with a lawsuit um so this is a little bit of reality some of what siza does in our mission is we are able to be a third party vulnerability disclosure entity what that means is if you people need help we are able to assist um and one thing as well specifically within this this phase is the timeline can vary drastically where some of the cases I've specifically supported have had timelines of about a year to two years where some are within 30 days um so ultimately once there's some sort of agreement between the two entities or three entities there's going

to be some sort of patch or mitigation phas so a patch to depending on the system so if we're talking critical infrastructure control systems that patch cycle is going to take a little bit longer because they're not going to be having on a rolling basis some patch Cycles are are happening quarterly sometimes you need to be able to bring site on staff on site some of these systems are underwater some of them are in outer space so it's really you have to be able to do a little bit more coordination you have to prepare a little bit better also when it comes to the mitigation phase not all mitigations um not all patches will be a mitigation

some mitigations are destroy the device by a new one the firmware is broken so there's other things people need to understand and then finally for the last phase this is something that we're this is where we become instrumental is where we're using our megaphone and we're able to get the word out we are able to get the word out to people that might not have access to a threat Intel platform we're able to get that information out to people that need to understand the risk of what their products are so they can be able to make those decisions to how to be able to best Safeguard their communities how to best be able to safeguard their Enterprise whatever type

of operation they are trying to to have we are there to be able to support them um one of my takes when it comes to the whole idea of coordinate vulnerability disclosure there's a sense where there is coordination involved with yes with with all of them but not all of them are organized so we try to make sure that we're bringing that reasonableness and that organization that it needs so little bit high level on the process but like why does this become so difficult so that was a pretty easy well it wasn't really a flowchart but it's very why does this become so difficult and why does this become so critical where I want you to kind of think of

criticality not necessarily as whether something can be remotely exploited whether it's a CVSs score of a 10 but think of criticality is critical thinking how much time do you need to think about these problems how much how much creative thinking do you need to be able to you need to be able to do when you're tackling some of these problems um because one of the things I'm going to be doing is there are five different examples that I'm going to be sharing with you and in each example I'm going to tell you the fact that you can't really have a a set playbook for everything you need to be able to um be creative and you have to be

able to think on the fly all right so I'm going to have a quick example of what if there is a vulnerability that gets shared with you and it's literally everywhere so this was an advisory that we that we released um about a year and a half ago um when we first received this report the idea behind it was this was going to affect billions of different devices so this is going to be affecting different real-time operating systems or osses which are used in cyber physical systems some of these products you can see right here um or can't really see but some of the products were products made and maintained by Amazon which one of the largest companies on on

the planet where others were smaller projects managed by one to two people um and this becomes very difficult because if you're thinking of a specific vulnerab ability that affects a memory allocation function in this number of operating systems are we going to be targeting that operating system during the mitigation and patching phase you have to be targeting where those actual products are placed you have to be able to work Downstream so when we started our coordination we contacted the vendors of these different Technologies not all of them um were based in the United States they're all all across the world world and it became really clear that there was a lack of supply chain visibility that really came behind this

because what happens is if you have this small ARS that is put into a smaller component which then then gets integrated into a larger product which then get sold to a system integrator that you know will create an HVAC unit or something that gets integrated into a submarine that gets sold and then there's a maintenance contract that's put on top of that so there's layers and layers and layers of obus of where you're trying to understand and enumerate what the problem is behind one vulnerability it becomes near impossible where not all of these things are going to be IP based you can't search on showan for some of these things because a loral ship isn't necessarily going to

have this type of it's not going to be able to show this there is Market data that you can purchase but unfortunately it tends to be really expensive and if you're trying to be able to just simply understand what the what that impact of the vulnerability is it can take lots of time effort and a lot of thinking um this specific case actually took us an over a year from the moment that we received the case to the moment that it went public um and one of the things behind it where people start to get a little bit when it's starting to affect OT iot industrial medical and Enterprise networks when it is so many different

devices it gets very difficult to understand what it works with um specifically as Sia we are working with um initiatives within sbom and another initiative called Vex to kind of help with some of these issues so I'm not going to get into that within the this talk but there are very smart individuals we have at our organization that can speak to that um second one I'm going to bring up is what if this a vulnerability specifically gets attention so in this case so this is another advisory we wrote for a product called the Motas mv7 200 which is a GPS tracker so this particular GPS tracker is an aftermarket automotive part that you're able to put into your car and you

can be able to track some fuel you can track where the the car is it gets integrated within uh the the greater vehicle itself um when we first received this case didn't see it was it was bad but the use case behind it there wasn't the proof concept available at a specific car so it wasn't going to be at the level of other other particular car hacks that we've seen where they're able to physically stop a car driving on the road um however this got a little bit more spun up when the Associated Press picked it up so what this means for those folks that don't under that have not seen this before when the the

Associated Press acts as a larger a larger Seed where smaller news outlets can be able to take the the information behind it um what specifically happened with this one and you might be able to see what the title of researchers Chinese mate GPS trackers are highly vulnerable that's not going to be telling the whole story behind you know what what is actually capable of this vulnerability they're seeing the fact that there is another country that is able to try hack into GPS systems um one of the things I've specifically learned with this case is the fact that there is a many time security research companies and this isn't for any of them for or for all of them but they're able to hire

um PR firms to be able to do media pushes and this is where there's this context behind where a vulnerability tends to get more attention if it's able to get more clicks so that's just an interesting way to be able to take where the research is being the Fantastic research is being done but it sometimes there's that message becomes a little bit different um and specific spefically with this one there were um I did receive lots of different questions from Private Industry and other parts of government to say how many cars can be hacked right now which I was not able to answer all right here's another here's another one which we heard a little bit

yesterday um like what if there's a vulnerability within medical devices so this can be touchy for some people um so this was a medical advisory I don't know how many people have heard of the Hamilton T1 um some people know what this is because this is a ventilator um another thing I want to show is the fact the date is February 16th 2021 which was right in the middle of the pandemic so again this is a vulnerability that if you look at so CVS CVSs you know take it or leave it however a very very low not a very critical vulnerability but the fact that this was a vulnerability affecting ventilators during the pandemic where

there's supply chain shortages and it's a literal physical harm type of element behind it people are a little bit more cautious of these type of vulnerabilities um so this was something we did get a little bit more questions on just based off of like the type of technology and how it was affected one of the things that we have to be able to help with these types of vulnerabilities is we do have a memorandum of understanding in place with our partners at the Food and Drug Administration also within the US federal government where we are able to share our vulnerabilities before their public with the people that know how to fix them so what that means

is they have different capabilities whether it's cardiologists whether it's other people that can test these medical devices which are meant to treat or diagnose diseases or injuries they're able to go in and give that proper patient safety impact that we can't be able to do because I I don't have a medical background I'm not the best person be able to make that assessment all right one of my another vulnerability that we have is what if it's affecting an open standard um so this was a I had to I had to look up this vulnerability before I um before I took this case um so the object Management Group has something called the distributed Data Systems which so this

is a middleware component that's going to be used to handle the reliability of control systems over wide distances so it's a very it's just kind of a way to link different architectures um so it's a little bit different because um there's already this idea of different locations and this is an open standard how do you be able to fix something when it's you're not telling one manufacturer you're not telling one Co software developer here's the bug how do you fix it you have to talk to Consortium and people have been working on this standard for years to be able to build other Technologies so we did what we did we ended up writing advisory behind it um but one of

the secondary impacts behind this was not only did it affect multiple different Technologies but the fact that if you did a very quick online search you could see that there's very very highly critical pieces of critical infrastructure whether it is a large Dam that's up in the United States or the fact that the International Space Station happens to be using this type of technology so this is going back to this idea of even if this is a very Niche technology only a few people understand the fact that it's used in very highly critical systems is going to give this a little bit more attention and so as the my last example so like gave different examples of the

news we've given different examples but what if it all happens it all at once with exploitation um so yeah we get we have that one we have log for Shell that happened um which for many many entrances not only is it critical on the fact that it was mass exploitation affecting all re all Realms of Enterprise as well as critical infrastructure this also happened during the holiday season where many people happen to have time off this is also during The Surge of Omron virus during or the Omron variant of coid which also hindered teams um this was also used in open source which just also made it difficult but I will say after working with several different teams on the

response effort does a fantastic job and there's certainly a lot of lessons learned um so we've worned a little bit now so vulnerabilities can really be anywhere they can affect up to billions of devices so one cve could be up to like billions um the media can be able to give attention to things that might normally not have gotten that same attention um the public can be very sensitive to medical devices or things that they understand such as cars Vehicles things that they know tangible items you know how to express harm um standards can really really increase the amount of complexity when it comes to resp resp and it all can happen at once um so what are some things that we can

be able to do to help um so I'm going to talk about three different strategies here and some of these things we were discussed yesterday where you can be able to add a vulnerability disclosure a vulnerability disclosure policy you can either become a CV numbering Authority or you can be able to have kind of tailor made vulnerability response processes um so if you do make products so if you are making code that's being sold one of the things that we highly do recommend is that you become a cve numbering Authority so what that's going to do is that's going to be able to allow you to assign your own cve IDs it's going to also allow you to be able

to tailor what your language is so that way when you're trying to be able to own that vulnerability information own the rhetoric behind it this is the first step they do have a few few different barriers of entries of making sure that you have a public that you're showing your publicly facing ability information which already is something we're already wanting people to do and it also is showing the fact that you're you have a vulner a vulnerability disclosure policy allowing goodfaith researchers to reach out to be able to provide these services to PE to the company because often times if it's not explicitly known organizations and researchers reach out to us to be able to serve as that intermediary um s we

are able to help with that um Julia's in the audience as as well so in the she can also be able to assist you if you have more questions on that um but also something that I had highlighted earlier if you do have a business have a vulnerability disclosure policy because that's going to be one of those things to allow goodfaith researchers to allow this this work to be done if you do make those if you do have those if you do have those website misconfigurations it's going to be more it's going to be more helpful to have people being reaching out under um with the people are going to be more willing to work with you if they

know that they have that there rather than what you know the byproduct is where if there's some sort of exploitation that can happen um that is something also we can be able to help you with at s um and also if you do have if you do have vulnerability response within your within your vulnerability Management program have different plans whether you're receiving a pre-disclosure vulnerability whether you're receiving a zero day whether if something is exploited have different plans and playbooks for each so one of the things behind it is think about driving what the consequ consequences based analysis is so if you do have if you do have those cyber physical systems if you do

have medical within your networks think about what those worst case scenario I could be think about like how if there was the adversary that did happen to that did breach your network what are those different things you could be able to do brainstorm those type of ideas write them down and then think about them and be able to make risk based decisions when that happens um but ultimately um one of the things I want people to understand is the fact that not every vulnerability is the same and you should be prepared because there's a a huge data management problem behind vulnerabilities and we at say we do have the know exploited vulnerabilities catalog to be able to help with kind of

that data management problem but there is understanding the the depth and breadth of different systems and the different as there is an interoperability of cyber and physical systems just have a very good idea of how things can be affecting other other processes um but again as I mentioned earlier um this seems daunting um we can help yes th those are those are two stores giving a high five um that there's an email there if you if you want to reach out we're definitely able to reach out or feel free to reach out afterwards also for those of you in the audience we are actively hiring um so this is a just a pitch if F you can be

able to take picture if you're we have specific job announcements for um for black hat Defcon and bside so feel free to check that out um but yeah that is all that I have I thank you everyone thank you to The Proving Grounds thank you to my mentor Mainframe thank you for um the organization for bringing me out here and hopefully everyone was able to take something back with them bring to your organization but thank you

again well thank you no there we are hello that was amazing really good and excellent keeping to time as well so not that it's up to me but I think you can come back at some point a it was so good awesome one more round of applause please cuz that was awesome