Dailydave mailing list archives
Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology
From: Jake Brodsky <ab3a () comcast net>
Date: Wed, 22 Aug 2007 22:51:40 -0400
/* Delurking */ Dave, I've been following this list for a while to see an inside view of what the various 'hats are discussing for software vulnerabilities. I come from the industrial automation world. I'm a registered engineer of control systems. For those of you who might recognize the term SCADA, that's a part of what I design, build, and live with every day. The broader term we like to use is "industrial control systems" because it covers plant and process systems as well as regional supervisory systems for distribution networks. Industrial control systems are in the dark ages of security. We do not adopt new technologies right away. We frequently do not even patch, unless there is a threat to life and limb. The reason is very simple: every change in an industrial control system MUST be validated. This isn't just me talking, it's the federal regulations. Go look at the OSHA regulations, the FDA Part 11 regulations or even the SOX legislation for examples of this kind of thinking. We have to adhere to most of this. Validation of a control system is extremely expensive. If we updated our systems the way most IT shops do, it would be more expensive than the risk of an attack. We would also risk critical safety systems. More systems have been damaged or brought down from bad patching practice than by actual attacks. So we have to be very selective about what we patch, where, and when. The bottom line is that your assumptions about the adoption of technology aren't typical. We're working to change that. However, we can't do what most of the IT community does. We can't patch first and trust that all will be well. So we hide behind firewalls, we segment our networks, and we're trying to push authentication right to the micro-controllers in the field. But it's a long uphill battle. The typical lifetime of an industrial control system is can be 10 to 15 years. Chew on that for a minute. What were YOU playing with 15 years ago? This won't happen overnight. I'm member of various standards committees and we're trying to create market standards and authenticated protocols we can use to effect these changes on the market. But it won't be easy and it won't be quick. You don't rewire or redesign a refinery overnight. You don't replace a SCADA system covering hundreds or even thousands of miles of pipeline without expending some impressive labor costs. The DOD boilerplate isn't wrong to say the sorts of things they're saying. Misguided? Maybe. Inaccurate? Only so far as they don't quite understand the technicalities. But this is just funding talk. I know others in DOD and law enforcement who understand the issue very well. There is much to be afraid of. Cities depend on an infrastructure that runs all too well; utilities are so reliable that we forget about how integral they are to daily life. We're nearly invisible until something breaks. Think of this the next time you flush your toilet. How long could a large city last without water? The only people who sleep well in my industry are those who do not understand the problem. Jacob Brodsky, PE _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Dave Aitel (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jeffrey Denton (Aug 21)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology sai (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Timothy R. Chavez (Aug 22)
- Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology Jake Brodsky (Aug 23)