First real-world SCADA attack in US

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Nov 21, 2011 at 3:35 PM, Mark Radabaugh <mark at amplex.net> wrote:
> On 11/21/11 10:32 AM, Jay Ashworth wrote:
> education / resource issue.   The existing methods that have been used for
> years with reasonable success in the IT industry can 'fix' this problem.

The "existing normal methods"  used by much of the IT industry fail
way too often,
and therefore, some measure of regulation is in order,  when the
matter is about critical
public infrastructure --  it's simply not in the public interest to
let agencies fail or use slipshod/
half measure techniques that are commonly practiced by some of the IT industry.

They should be required to engage in practices that can be proven to
mitigate risks
to a know controllable quantity.

The weakness of typical IT security is probably OK, when the only
danger of compromise
is that an intruder might get some sensitive information, or IT might
need to go to the tapes.

That just won't do, when the result of compromise is,   industrial
equipment is forced outside
of safe parameters,  resulting in deaths, or a city's  water supply is
shut down, resulting in deaths.

Hard perimeter and mushy interior  with  OS updates just to address
known issues,
and  malware scanners to "try and catch" things just won't do.

..."an  OS patch introduces a serious crash bug" is also a type of
security issue.
Patching doesn't necessarily improve security;   it only helps with
issues you know about,
and might introduce issues you don't know about.

Enumerating badness is simply not reliable,  and patch patch patch is
simply an example
of that --  when security really matters,  don't attach it to a
network,  especially not one that
might eventually be internet connected -- indirect or not.

Connection to a management LAN that has any PC on it that is or was
ever internet connected
"counts" as an internet connection.

> Industrial Controls systems are normally only replaced when they are so old
> that parts can no longer be obtained.   PC's started to be widely used as
> operator interfaces about the time Windows 95 came out.   A lot of those
> Win95 boxes are still running and have been connected to the network over
> the years.

The "Windows 95" part is fine.

The "connected to the network"  part is not fine.

--
-JH

• Previous message (by thread): First real-world SCADA attack in US
• Next message (by thread): First real-world SCADA attack in US
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]