Re: cyber-9/11

[Chris Blask <wobblingmoon () yahoo com>]

Robert Graham wrote:

> I agree that SCADA systems are extremely weak. I curl up in a ball laughing on the floor every time somebody mentions 
> "Smart Grid". Here is a paper I gave a couple years ago at Black Hat. It's nothing surprising, but it's first-hand 
> knowledge (that is, when I say SCADA is weak, it's because I've seen it for my own eyes, not because it heard it was 
> well docum http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf


I started a company called Lofty Perch a few years ago and we rapidly wandered into SCADA and CIP (Lofty is still 
going, but I'm not involved anymore).  The challenge of addressing the space is complicated by: the nature of the folks 
who build and run these systems (steel-toed boots and hardhats, "seven years to go 'til retirement and I'll quit when 
some computer kid tells me what to do'); the lack of a mandate from the government (or anyone) to address the problem; 
and the inherent difficulties we (infosec) have as an industry.

The first of these is what it is, and we have to bear that in mind when crafting solutions.  This is why the second is 
virtually an absolute requirement - these folks are much less likely to run off and embrace security than IT (pointed 
pause......).

The third is something we can do about, but - for all the same reasons that we struggle with IT security - we don't.  
We need to make it programatically simple for the facility owner/operators to consumer security solutions like they 
consume epoxy and PLCs, but we keep trying to explain to them how digital signatures are revoked.

-chris


      
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.