funsec mailing list archives

Re: cyber-9/11

From: Robert Graham <robert_david_graham () yahoo com>
Date: Tue, 7 Apr 2009 23:43:21 -0700 (PDT)

Jon Kibler wrote:

First, your perception that attacks from China

are "teenagers" or

"script kiddies" is wrong. It is well

documented that the State is

behind a lot of these intrusions.


Begging the question, well documented where?


I was going to ask the same question.


I'd love to see these documents, they would completely change my point of view.

Robert, if you have a better idea how to force security 
accountability by providers of critical infrastructure, I am 
sure the world would be glad to hear from you.

I don't understand the question. The power critical infrastructure is no more vulnerable to cyberattack than it is to a
physical attack, such as bombing selected power substations, or holding an engineer's family hostage while he flips the
appropriate switch on a nuclear reactor. State actors or well-funded terrorist organizations do not like hacking. The
reason is that the results are unreliable. They'd rather go the physical route and get the desired result in a
predictable timeframe.

I agree with the point that SCADA is laughably weak, I disagree that drastic government control is needed to fix the
problem, or will fix the problem.

I agree that SCADA systems are extremely weak. I curl up in a ball laughing on the floor every time somebody mentions
"Smart Grid". Here is a paper I gave a couple years ago at Black Hat. It's nothing surprising, but it's first-hand
knowledge (that is, when I say SCADA is weak, it's because I've seen it for my own eyes, not because it heard it was
well docum
http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf

If China were to go to war against us, they would more likely bomb carefully selected power stations than hack in our
systems. It's easier, and more assured of success. (Causing a power blackout either through hacking or bombing is
equally an act of war).

Our electrical grid is already vulnerable to a physical attack. The question is whether we should invest

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

cyber-9/11 Larry Seltzer (Apr 07)
- Re: cyber-9/11 Paul M. Moriarty (Apr 07)
  - Re: cyber-9/11 Michael Collins (Apr 07)
    - Re: cyber-9/11 Larry Seltzer (Apr 07)
    - Re: cyber-9/11 Robert Graham (Apr 07)
    - Re: cyber-9/11 Jon Kibler (Apr 07)
    - Re: cyber-9/11 Gadi Evron (Apr 07)
    - Re: cyber-9/11 Barry Raveendran Greene (Apr 07)
    - Re: cyber-9/11 Richard Golodner (Apr 07)
    - Re: cyber-9/11 quispiam lepidus (Apr 08)
    - Re: cyber-9/11 Robert Graham (Apr 07)
    - Re: cyber-9/11 Jon Kibler (Apr 08)
    - Re: cyber-9/11 Gadi Evron (Apr 08)
    - Re: cyber-9/11 Chris Blask (Apr 08)
    - Re: cyber-9/11 Jon Kibler (Apr 08)
    - Re: cyber-9/11 Nick FitzGerald (Apr 08)
    - Re: cyber-9/11 der Mouse (Apr 08)
    - Re: cyber-9/11 Jon Kibler (Apr 08)
- <Possible follow-ups>
- Re: cyber-9/11 Robert Graham (Apr 07)
  - Re: cyber-9/11 Donal (Apr 08)
- Re: cyber-9/11 Chris Blask (Apr 08)