Interesting People mailing list archives
SCADA, the control protocols used to operate power stations,
From: Dave Farber <dave () farber net>
Date: Wed, 19 Mar 2003 19:08:32 -0500
------ Forwarded Message From: Bob Alberti <alberti () sanction net> Date: Wed, 19 Mar 2003 18:02:16 -0600 To: dave () farber net Subject: RE: [IP] The Cyberterrorism Big Lie I like a good contrarian as much as the next fellow, but the infrastructure security situtation is as bad as, if not worse, than the press it gets. Here's an IEEE document regarding SCADA, the control protocols used to operate power stations, http://grouper.ieee.org/groups/1525/CIGRE34.07/Document/ Searching the document for the word "Security" you'll eventually reach section 10.2.6.1 which reads (emphasis mine) " the operational control specification should address the following: The level of password protection required for fully implementing select-before-operate (SBO) procedures over the communication network. Given the basic nature of distributed communication architecture, **predefined passwords provided by the device vendor may no longer be adequate to guarantee that an operator has control over a specific operation without the possibility of interruption by another operator using the same predefined password.**" So, much of the nation's infrastructure is presently protected only by passwords set by the manufacturer. And one operator can interrupt another in mid operation. These are slightly terrifying implications. If vendor supplied passwords are common, then a password from one facility will very possibly work at another site. So a terrorist infiltrator could work at one site in order to plan an attack on another. If the Internet is not scrupulously segregated from the SCADA network, then an attack planned against a utility could be executed over the Internet. If one operator can interrupt another in mid operation, then an attack could easily involve interrupting or modifying a complex operation at a sensitive stage. Challenging the conventional wisdom that the Internet leaves us vulnerable to terrorists is a worthy endeavor. Unfortunately, it only takes a little research to discover that the vulnerability not only exists, but is probably worse than is generally understood. And labelling this "a big lie" is simply reckless. If the security awareness of our entire culture were several times greater than it is at present, such a claim might have some merit. However, as any research reveals, the opposite is true: as far as security goes our nations has its head in the sand and its pants around our ankles. Claiming security concerns are a "big lie" under such circumstances is an exercise in even greater denial. Bob Alberti, CISSP, President Sanction, Inc. Phone: (612) 961-0507 PO Box 583453 http://www.sanction.net Mpls, MN 55458-3453 -----Original Message----- From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com]On Behalf Of Dave Farber Sent: Wednesday, March 19, 2003 5:24 PM To: ip Subject: [IP] The Cyberterrorism Big Lie ------ Forwarded Message From: Lauren Weinstein <lauren () vortex com> Date: Wed, 19 Mar 2003 15:10:16 -0800 (PST) To: dave () farber net Cc: lauren () vortex com Subject: The Cyberterrorism Big Lie Dave, The nonsense level regarding "cyberterrorism" and the Internet has been growing ever since 9/11, and I for one am starting to suspect it's become part of a carefully reasoned campaign of misdirection. The fables suggesting terrorists could use the Internet to take down power grids, primary telecom channels, and other critical systems seem of the same class as the nightmare scenarios painted by some survivalists pre-Y2K, when we were assured the world could come to an end at the stroke of midnight. That the Internet is in many ways fragile and vulnerable is a given. But this is not exactly a news flash. Anyone running such crucial applications over (or connected to) the public Internet is a fool, perhaps a dangerous fool -- no terrorists required. It's as if tons of explosive nitro-glycerin were being shipping all over the country on public highways, poorly packed in thin, flimsy, glass containers, in the back of old flatbed trucks with lousy shock-absorbers. Terrorists probably wouldn't be at the top of the worry list regarding those trucks -- the ineptitude of using the vehicles in such an inappropriate way would be the big issue. Similarly, Internet users have far more to be concerned over than terrorists attacking the Net. Buggy Microsoft or other software code might be a starting point. And the sorts of damage likely to occur falls much more into the denial of service category than anything else -- like being unable to access eBay or your favorite porn site for awhile. Hardly the end of the world for most reasonable people, I assume. So why do we keep hearing about the Internet cyberterror threat? We heard it plenty during the Afghanistan war, when we were provided with visions of Taliban busily hacking from their secret caves. Now the straw man is being dragged out yet again. The most likely reason, it is reasonable to surmise, is to set the stage for national government takeovers of the Internet. By elevating the Internet inappropriately into the national security sphere, it makes the case for government control of the Net (and incidentally, pervasive Internet monitoring, encryption bans, etc.) all the easier to justify. Recent history suggests that some of the existing Net "control" organizations (e.g. ICANN) may well play into the hands of such a scheme. And it may well be a successful strategy. If you can get the people at large to buy it, they'll clamor to "take Internet decision-making and control away from those darn technical eggheads and put it in the hands of the Pentagon where it belongs!" If you don't believe this could happen, look at the current polls which say that half the U.S. population thinks Iraq was directly involved in the 9/11 attacks -- a charge not even made directly by Bush's hawks or intelligence services. But as we've seen, careful manipulation of the debate can easily plant false ideas without ever having to state the falsehoods in a direct manner. The Internet has become an immensely valuable symbol, capable of vast good but also with enormous manipulative and propaganda potential for those who control it, aspects which for some far outstrip its true value from a technical mission standpoint. If we allow this manipulation to continue along its current course, we will cede the Internet, like so many other previously positive aspects of our society, to the dark side. --Lauren-- Lauren Weinstein Web Flag: http://www.pfir.org/usa-peace-now.gif lauren () pfir org or lauren () vortex com or lauren () privacyforum org Tel: +1 (818) 225-2800 Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org Co-Founder, Fact Squad - http://www.factsquad.org Co-Founder, URIICA - Union for Representative International Internet Cooperation and Analysis - http://www.uriica.org Moderator, PRIVACY Forum - http://www.vortex.com Member, ACM Committee on Computers and Public Policy "Wired News" Commentaries - http://www.wired.com/news/storylist/0,2339,642,00.html & http://www.wired.com/news/storylist/0,2339,705,00.html ------ End of Forwarded Message ------------------------------------- You are subscribed as alberti () sanction net To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ------ End of Forwarded Message ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- SCADA, the control protocols used to operate power stations, Dave Farber (Mar 19)