funsec mailing list archives

Re: Foul

From: Ned Fleming <ned () kaw us>
Date: Tue, 10 Nov 2009 16:47:59 -0600


On Tue, 10 Nov 2009 13:12:02 -0800 (PST), chris () blask org wrote:

--- On Tue, 11/10/09, Ned Fleming <ned () kaw us> wrote:

You're implying the Brazilian utility story may be a
cover-up and that the motivation to do so was very high. And further, not
even the participants in this alleged cover-up would be able to deny
it was one. Interesting.


No.  I suppose at some level I am implying that it was possible that it could have been, but I seriously doubt that it 
was.  What I am saying is that there are so many ways these systems can fail that it is easy to provide an alternate 
public story that most of the people directly involved with the systems would not be able to discern.  Obviously, 
actual participants of such stories would be aware.


OK. If I'm going to guess conspiracy I would think CBS was conspiring
to keep the turds stirred up. Ratings. Eyeballs. Pizazz. Front page.
Cutting edge. But I don't believe it's even all that; I'd throw in
complacency and ineptitude, too.


I can see how this could be read as a spiraling conversation about cover-ups and conspiracies (I thought it might when 
I wrote the first comment), but that was not my intent and I'm not likely to pursue such a pointless back-and-forth.  
In the vast majority of cases I am of the opinion that conspiracy theories are absolute bunkum.  However, there are 
some marginal situations where motivation and opportunity do lend themselves to obfuscation.  In this case, it would 
not destroy my world-view if I were to find out that the Brazilian grid operators turned out to be unable to determine 
whether their system was hacked and whether the sub-standard materials were to blame as opposed to someone jacking 
with their transmission equipment causing some of the sub-standard materials to fail - and further that related 
authorities might be tempted to point to said sub-standard materials with a "nothing to see here" declaration.


I agree with this, sure.

Not true for electric utilities. They're spending fortunes
on NERC CIP. Electric utilities understand FERC/NERC are really
just getting started. The smart grid ("from the toaster to the
generator") cyber security standards will make NERC CIP look small.


The grid is making forward strides - which I couldn't be happier about - but as you say NERC CIP will look limited 
compared to more evolved standards.  Major parts of the grid are getting much more resource than smaller parts, as is 
only expected.  But the grid consists of an enormous amount of individual players and the vast majority of those are 
severely challenged.  The scope of the effort to address issues in the grid alone is out of scale with the resources 
available to do so.

Moreover, the grid is only a (very large) small part of deployed control systems.  There are an extremely large number 
of control systems deployed in an enormous range of applications throughout the infrastructure, and beyond some parts 
of the grid virtually none of them are being addressed at all.  These systems are in both 'trivial' and non-trivial 
applications.


Okie dokie.

We need to regularize our approach to CIP cybersecurity

or we aren't going to make any headway at all.

I disagree.


You disagree that we need to regularize our approach, or that it is necessary to do so to make headway?


I disagree that the regularization plan (CIP itself) is any good. I'd
torpedo it in favor of something else. Maybe a combo of NIST 800-??
and Sans CoSec. To me, NERC CIP looks and acts too much like
Sarbanes-Oxley -- a lot of busy work but only marginal security
improvement. Something an auditor can approve of, but it's not
fighting the whole fight. I see it as too much and too little.

I've sat in too many committee meetings where the vagueness (and lack
of clarification from NERC) resulted in a lot of wrangling and not
much light. This is probably in part because of the history of NERC
and its only recent adoption by FERC, along with FERC's powers to kick
buttocks. 

Depending on who has the upper-hand in a company can greatly affect
how and how much really gets implemented.

Perhaps I overstated, let me try again:

We need to regularize our approach to CIP cybersecurity or we are extremely unlikely to make adequate headway in an 
appropriate amount of time.

Lessons are being learned, those can be repeated and built upon.  However, compared to standard IT networks (which not 
even I would argue are secured to a highly satisfactory level), control system security is at best underdeveloped and 
underdelivered.


Yeah, I'd agree with the caveat that the standards be more
security-driven and less auditor-driven.

-- 

Ned



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Foul, (continued)
- - - Re: Foul Robert Graham (Nov 09)
    - Re: Foul Valdis . Kletnieks (Nov 09)
    - Re: Foul Drsolly (Nov 09)
    - Re: Foul Paul M Moriarty (Nov 10)
    - Re: Foul Rob, grandpa of Ryan, Trevor, Devon & Hannah (Nov 10)
    - Re: Foul Hubbard, Dan (Nov 10)
    - Re: Foul Paul M. Moriarty (Nov 10)
    - Re: Foul chris (Nov 10)
    - Re: Foul Ned Fleming (Nov 10)
    - Re: Foul chris (Nov 10)
    - Re: Foul Ned Fleming (Nov 10)
    - Re: Foul chris (Nov 10)
- Re: Foul Les Bell (Nov 10)
  - Re: Foul chris (Nov 10)
    - Re: Foul Paul M Moriarty (Nov 10)
    - Re: Foul Valdis . Kletnieks (Nov 10)
  - Re: Foul Jacob Appelbaum (Nov 11)
    - Re: Foul quispiam lepidus (Nov 11)
- Re: Foul Les Bell (Nov 11)