funsec mailing list archives
Re: cyber-9/11
From: Chris Blask <wobblingmoon () yahoo com>
Date: Wed, 8 Apr 2009 08:41:57 -0700 (PDT)
Robert Graham wrote:
I agree that SCADA systems are extremely weak. I curl up in a ball laughing on the floor every time somebody mentions "Smart Grid". Here is a paper I gave a couple years ago at Black Hat. It's nothing surprising, but it's first-hand knowledge (that is, when I say SCADA is weak, it's because I've seen it for my own eyes, not because it heard it was well docum http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
I started a company called Lofty Perch a few years ago and we rapidly wandered into SCADA and CIP (Lofty is still going, but I'm not involved anymore). The challenge of addressing the space is complicated by: the nature of the folks who build and run these systems (steel-toed boots and hardhats, "seven years to go 'til retirement and I'll quit when some computer kid tells me what to do'); the lack of a mandate from the government (or anyone) to address the problem; and the inherent difficulties we (infosec) have as an industry. The first of these is what it is, and we have to bear that in mind when crafting solutions. This is why the second is virtually an absolute requirement - these folks are much less likely to run off and embrace security than IT (pointed pause......). The third is something we can do about, but - for all the same reasons that we struggle with IT security - we don't. We need to make it programatically simple for the facility owner/operators to consumer security solutions like they consume epoxy and PLCs, but we keep trying to explain to them how digital signatures are revoked. -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: cyber-9/11, (continued)
- Re: cyber-9/11 Larry Seltzer (Apr 07)
- Re: cyber-9/11 Robert Graham (Apr 07)
- Re: cyber-9/11 Jon Kibler (Apr 07)
- Re: cyber-9/11 Gadi Evron (Apr 07)
- Re: cyber-9/11 Barry Raveendran Greene (Apr 07)
- Re: cyber-9/11 Richard Golodner (Apr 07)
- Re: cyber-9/11 quispiam lepidus (Apr 08)
- Re: cyber-9/11 Robert Graham (Apr 07)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Gadi Evron (Apr 08)
- Re: cyber-9/11 Chris Blask (Apr 08)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Nick FitzGerald (Apr 08)
- Re: cyber-9/11 der Mouse (Apr 08)
- Re: cyber-9/11 Jon Kibler (Apr 08)
- Re: cyber-9/11 Donal (Apr 08)