Re: Myth: The US is more vulnerable to information warfare because it is more reliant on information technology

[Jake Brodsky <ab3a () comcast net>]

/* Delurking */

Dave, I've been following this list for a while to see an inside view of
what the various 'hats are discussing for software vulnerabilities.

I come from the industrial automation world.  I'm a registered engineer
of control systems.  For those of you who might recognize the term 
SCADA, that's a part of what I design, build, and live with every day. 
The broader term we like to use is "industrial control systems" because 
it covers plant and process systems as well as regional supervisory 
systems for distribution networks.

Industrial control systems are in the dark ages of security.  We do not
adopt new technologies right away.  We frequently do not even patch,
unless there is a threat to life and limb.  The reason is very simple:
every change in an industrial control system MUST be validated.  This
isn't just me talking, it's the federal regulations.  Go look at the 
OSHA regulations, the FDA Part 11 regulations or even the SOX 
legislation for examples of this kind of thinking.  We have to adhere to 
most of this.

Validation of a control system is extremely expensive.  If we updated 
our systems the way most IT shops do, it would be more expensive than 
the risk of an attack.  We would also risk critical safety systems.
More systems have been damaged or brought down from bad patching 
practice than by actual attacks.  So we have to be very selective about 
what we patch, where, and when.

The bottom line is that your assumptions about the adoption of 
technology aren't typical.  We're working to change that.  However, we
can't do what most of the IT community does.  We can't patch first and
trust that all will be well.  So we hide behind firewalls, we segment
our networks, and we're trying to push authentication right to the
micro-controllers in the field.  But it's a long uphill battle.

The typical lifetime of an industrial control system is can be 10 to 15
years.  Chew on that for a minute.  What were YOU playing with 15 years
ago?

This won't happen overnight.  I'm member of various standards committees 
and we're trying to create market standards and authenticated protocols 
we can use to effect these changes on the market.  But it won't be easy 
and it won't be quick.  You don't rewire or redesign a refinery 
overnight.  You don't replace a SCADA system covering hundreds or even 
thousands of miles of pipeline without expending some impressive labor 
costs.

The DOD boilerplate isn't wrong to say the sorts of things they're
saying.  Misguided?  Maybe.  Inaccurate?  Only so far as they don't
quite understand the technicalities.  But this is just funding talk.  I
know others in DOD and law enforcement who understand the issue very well.

There is much to be afraid of.  Cities depend on an infrastructure that
runs all too well; utilities are so reliable that we forget about how
integral they are to daily life.  We're nearly invisible until something
breaks.  Think of this the next time you flush your toilet.  How long
could a large city last without water?

The only people who sleep well in my industry are those who do not
understand the problem.

Jacob Brodsky, PE

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave