nanog mailing list archives

Re: First real-world SCADA attack in US

From: Jimmy Hess <mysidia () gmail com>
Date: Mon, 21 Nov 2011 21:43:47 -0600

On Mon, Nov 21, 2011 at 3:35 PM, Mark Radabaugh <mark () amplex net> wrote:

On 11/21/11 10:32 AM, Jay Ashworth wrote:
education / resource issue.   The existing methods that have been used for
years with reasonable success in the IT industry can 'fix' this problem.


The "existing normal methods"  used by much of the IT industry fail
way too often,
and therefore, some measure of regulation is in order,  when the
matter is about critical
public infrastructure --  it's simply not in the public interest to
let agencies fail or use slipshod/
half measure techniques that are commonly practiced by some of the IT industry.

They should be required to engage in practices that can be proven to
mitigate risks
to a know controllable quantity.

The weakness of typical IT security is probably OK, when the only
danger of compromise
is that an intruder might get some sensitive information, or IT might
need to go to the tapes.

That just won't do, when the result of compromise is,   industrial
equipment is forced outside
of safe parameters,  resulting in deaths, or a city's  water supply is
shut down, resulting in deaths.

Hard perimeter and mushy interior  with  OS updates just to address
known issues,
and  malware scanners to "try and catch" things just won't do.

..."an  OS patch introduces a serious crash bug" is also a type of
security issue.
Patching doesn't necessarily improve security;   it only helps with
issues you know about,
and might introduce issues you don't know about.

Enumerating badness is simply not reliable,  and patch patch patch is
simply an example
of that --  when security really matters,  don't attach it to a
network,  especially not one that
might eventually be internet connected -- indirect or not.

Connection to a management LAN that has any PC on it that is or was
ever internet connected
"counts" as an internet connection.

Industrial Controls systems are normally only replaced when they are so old
that parts can no longer be obtained.   PC's started to be widely used as
operator interfaces about the time Windows 95 came out.   A lot of those
Win95 boxes are still running and have been connected to the network over
the years.


The "Windows 95" part is fine.

The "connected to the network"  part is not fine.

--
-JH

Current thread:

Re: First real-world SCADA attack in US, (continued)
- - - Re: First real-world SCADA attack in US Mark Radabaugh (Nov 21)
    - Re: First real-world SCADA attack in US Steven Bellovin (Nov 21)
    - Re: First real-world SCADA attack in US Michael Painter (Nov 22)
- Re: First real-world SCADA attack in US Mark Foster (Nov 21)
  - Re: First real-world SCADA attack in US Jay Ashworth (Nov 21)
- Re: First real-world SCADA attack in US Mark Radabaugh (Nov 21)
  - Re: First real-world SCADA attack in US Charles Mills (Nov 21)
    - Re: First real-world SCADA attack in US Mark Radabaugh (Nov 21)
  - RE: First real-world SCADA attack in US Jason Gurtz (Nov 21)
    - Re: First real-world SCADA attack in US Christopher Morrow (Nov 21)
  - Re: First real-world SCADA attack in US Jimmy Hess (Nov 21)
    - Re: First real-world SCADA attack in US Jay Ashworth (Nov 21)
    - Re: First real-world SCADA attack in US Jussi Peltola (Nov 21)
    - Re: First real-world SCADA attack in US Valdis . Kletnieks (Nov 21)
    - Re: First real-world SCADA attack in US Brett Frankenberger (Nov 22)
    - Re: First real-world SCADA attack in US Jay Ashworth (Nov 22)
    - Re: First real-world SCADA attack in US Brett Frankenberger (Nov 22)
    - Re: First real-world SCADA attack in US Matthew Kaufman (Nov 22)
    - Re: First real-world SCADA attack in US andrew.wallace (Nov 22)
    - Re: First real-world SCADA attack in US Michael Painter (Nov 22)
    - Re: First real-world SCADA attack in US Joe Hamelin (Nov 22)

(Thread continues...)