Water Utility SCADA 'Attack': The, um, washout

Kyle Creyts kyle.creyts at gmail.com
Mon Nov 28 10:36:04 CST 2011


I would actually carry this to another level, and say this "leak" could be
considered evidence that the fusion centers are working quite well. The
fact is that a fusion center, in this case, enabled the community to:
 1)respond to an event (together);
 2)know where to contribute any coordinating information, now or in the
future;
 3)be on the lookout for similar events;
 4)raise awareness about a perceived problem that doesn't seem to be
getting better;
 5)perceive a measure of transparency in the operation and utility of these
fusion centers.

>From where I stand this disclosure being dubbed a "leak" is improper.
Perhaps it was a leak, perhaps it was an intentional disclosure. Either
way, it showed that fusion centers are working to escalate the attention
given to potentially serious issues, with a defined benefit to the
community they serve, while operating with an appropriate degree of
cooperation between TLAs. And while there was media FUD early on, the final
output was clear, concise, and non-speculative.

On Sat, Nov 26, 2011 at 7:40 PM, <Valdis.Kletnieks at vt.edu> wrote:

> On Sat, 26 Nov 2011 17:38:55 EST, Jared Mauch said:
>
> > >  I suggest new secrecy legislation, for fusion centres.
>
> > It already exists :)
>
> > People may be subject to prosecution for leaking this to the public.
> > It's that simple.  Problem is it can't be undone, so it's not an
> > interesting case in some regards...
>
> Actually, it's *not* that simple - it's complicated enough that a quick
> knee-jerk "There should be a law against it" reaction is probably a bad
> idea.
> (In fact, I'll go out on a limb and say that one-sentence "there should be
> a
> law agains it" reactios are almost always a bad idea).
>
> After all, fusion centers were originally created because too many
> agencies had
> laws and regulations banning the sharing of information. We saw a decade
> ago
> just how well *that* worked out for us. So it's not at all clear that "new"
> laws making things *more* classified are a good idea in this case. Nor is
> it
> obvious how to code useful laws to prohibit the dissemination of data from
> a
> group set up for the express purpose of mining data and disseminating the
> results.  Sure you can tighten things down, but if a fusion center can't
> release something quickly, it's not a lot of use, is it?
>
> (We've more than once gotten stuff from various TLA's stamped with a
> default
> "No Foreign Nationals" that ended up being totally unusable because we've
> got
> foreign nationals all over the place, and had to wait for a second copy
> that
> had gotten kicked down to "FOUO" so we could use it - loads of fun)
>
> So the last thing we need is people who don't even know what laws already
> exist
> calling for the creation of *new* laws.
>
> And quite frankly, which way do you want these things to fail?  Do you
> want an
> early alert that says "evil packets may be coming in from Russia", or do
> you
> want it to wait till they've verified it's a contractor's employee ssh'ing
> in
> while on vacation? Sure, a few people have some egg on their faces and now
> have
> a really good bar story.  But let's keep in mind that it took several days
> to
> sort this one out - coincidentally, just about the same number of day that
> it
> took Sony to come out and say that PSN got whacked.
>
> You really can't have it both ways.  Which do you want, false positives or
> false negatives?
>
>


-- 
Kyle Creyts

Information Assurance Professional
BSidesDetroit Organizer


More information about the NANOG mailing list