First real-world SCADA attack in US

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 22, 2011 at 8:35 AM, Mark Radabaugh <mark at amplex.net> wrote:
> Having worked on plenty of industrial and other control systems I can safely
> say security on the systems is generally very poor.   The vulnerabilities
> have existed for years but are just now getting attention.    This is a
> problem that doesn't really need a bunch of new legislation.   It's an
> education / resource issue.   The existing methods that have been used for
> years with reasonable success in the IT industry can 'fix' this problem.

I agree, it is mostly education and resources issue . But the
environment of control networks is slightly different from IT
industry, IMHO.

1) control network people have been living in a kind of isolation for
too long and haven't realized that their networks are connected to Big
Bad Internet (or at least intranet..) now so the threat model has
changed completely.
2) There aren't many published cases of successful (or even
unsuccessful) attacks on control networks. As a result, the risk of an
attack is considered to have large potential loss and but *very* low
probability of occurring  and high cost of countermeasures =>
ignoring..
3) Interconnections between control networks and "normal" LANs are a
kind of grey area (especially taking into account that both types of
networks are run by different teams of engineers). It is very hard to
get any technical/security requirements etc - usually none of them
exist. And as the whole system as as secure as the weakest element....
the result is easily predictable.
4) any changes in control network are to be done in much more
conservative way. all those "apply the patch..oh, damn, it
crashed..rollback' doesn't work there. In addition (from my experience
which might not be statistically reliable) the testing/lab resources
are usually much more limited for control networks;
5) as the life cycle of hw&sw is much longer than in IT industry, it
is very hard to meet the security requirements w/o significant changes
to existing control network (inc. procedures/policies) - but see #4
above..

So there is a gap - those control networks are 10 (20?) years behind
internet in terms of security. This gap can be filled but not
immediately.

The good news that such stories as the one we are discussing could
help scary the decision makers..oops, sorry, I was going to say 'raise
the level of security awareness'

-- 
SY, Jen Linkova aka Furry

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]