Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

SCADA, the control protocols used to operate power stations,

From: Dave Farber <dave () farber net>
Date: Wed, 19 Mar 2003 19:08:32 -0500

------ Forwarded Message
From: Bob Alberti <alberti () sanction net>
Date: Wed, 19 Mar 2003 18:02:16 -0600
To: dave () farber net
Subject: RE: [IP] The Cyberterrorism Big Lie

I like a good contrarian as much as the next fellow, but the infrastructure
security situtation is as bad as, if not worse, than the press it gets.

Here's an IEEE document regarding SCADA, the control protocols used to
operate power stations,

http://grouper.ieee.org/groups/1525/CIGRE34.07/Document/

Searching the document for the word "Security" you'll eventually reach
section 10.2.6.1 which reads (emphasis mine)

" the operational control specification should address the following:
The level of password protection required for fully implementing
select-before-operate (SBO) procedures over the communication network. Given
the basic nature of distributed communication
architecture, **predefined passwords provided by the device vendor may no
longer be adequate to guarantee that an operator has control over a specific
operation without the possibility of interruption by another operator using
the same predefined password.**"

So, much of the nation's infrastructure is presently protected only by
passwords set by the manufacturer.  And one operator can interrupt another
in mid operation.  These are slightly terrifying implications.

If vendor supplied passwords are common, then a password from one facility
will very possibly work at another site.  So a terrorist infiltrator could
work at one site in order to plan an attack on another.  If the Internet is
not scrupulously segregated from the SCADA network, then an attack planned
against a utility could be executed over the Internet.

If one operator can interrupt another in mid operation, then an attack could
easily involve interrupting or modifying a complex operation at a sensitive
stage.

Challenging the conventional wisdom that the Internet leaves us vulnerable
to terrorists is a worthy endeavor.  Unfortunately, it only takes a little
research to discover that the vulnerability not only exists, but is probably
worse than is generally understood.

And labelling this "a big lie" is simply reckless.  If the security
awareness of our entire culture were several times greater than it is at
present, such a claim might have some merit.  However, as any research
reveals, the opposite is true:  as far as security goes our nations has its
head in the sand and its pants around our ankles.  Claiming security
concerns are a "big lie" under such circumstances is an exercise in even
greater denial.

Bob Alberti, CISSP, President          Sanction, Inc.
Phone: (612) 961-0507                   PO Box 583453
http://www.sanction.net           Mpls, MN 55458-3453


-----Original Message-----
From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com]On Behalf
Of Dave Farber
Sent: Wednesday, March 19, 2003 5:24 PM
To: ip
Subject: [IP] The Cyberterrorism Big Lie



------ Forwarded Message
From: Lauren Weinstein <lauren () vortex com>
Date: Wed, 19 Mar 2003 15:10:16 -0800 (PST)
To: dave () farber net
Cc: lauren () vortex com
Subject: The Cyberterrorism Big Lie



Dave,

The nonsense level regarding "cyberterrorism" and the Internet has
been growing ever since 9/11, and I for one am starting to suspect
it's become part of a carefully reasoned campaign of misdirection.

The fables suggesting terrorists could use the Internet to take
down power grids, primary telecom channels, and other critical systems
seem of the same class as the nightmare scenarios painted by some
survivalists pre-Y2K, when we were assured the world could come
to an end at the stroke of midnight.

That the Internet is in many ways fragile and vulnerable is
a given.  But this is not exactly a news flash.  Anyone running such
crucial applications over (or connected to) the public Internet is
a fool, perhaps a dangerous fool -- no terrorists required.

It's as if tons of explosive nitro-glycerin were being shipping
all over the country on public highways, poorly packed in thin, flimsy,
glass containers, in the back of old flatbed trucks with lousy
shock-absorbers.  Terrorists probably wouldn't be at the top
of the worry list regarding those trucks -- the ineptitude of
using the vehicles in such an inappropriate way would be the
big issue.

Similarly, Internet users have far more to be concerned over
than terrorists attacking the Net.  Buggy Microsoft or other
software code might be a starting point.  And the sorts of
damage likely to occur falls much more into the denial of
service category than anything else -- like being unable
to access eBay or your favorite porn site for awhile.
Hardly the end of the world for most reasonable people, I assume.

So why do we keep hearing about the Internet cyberterror threat?
We heard it plenty during the Afghanistan war, when we were
provided with visions of Taliban busily hacking from their
secret caves.  Now the straw man is being dragged out yet again.

The most likely reason, it is reasonable to surmise, is to set
the stage for national government takeovers of the Internet.
By elevating the Internet inappropriately into the
national security sphere, it makes the case for government
control of the Net (and incidentally, pervasive Internet
monitoring, encryption bans, etc.) all the easier to justify.
Recent history suggests that some of the existing
Net "control" organizations (e.g. ICANN) may well play
into the hands of such a scheme.

And it may well be a successful strategy.  If you can get
the people at large to buy it, they'll clamor to
"take Internet decision-making and control away from those
darn technical eggheads and put it in the hands of the
Pentagon where it belongs!"  If you don't believe this could happen,
look at the current polls which say that half the U.S. population
thinks Iraq was directly involved in the 9/11 attacks -- a charge
not even made directly by Bush's hawks or intelligence services.
But as we've seen, careful manipulation of the debate can easily
plant false ideas without ever having to state the falsehoods
in a direct manner.

The Internet has become an immensely valuable symbol, capable
of vast good but also with enormous manipulative and propaganda
potential for those who control it, aspects which for some far
outstrip its true value from a technical mission standpoint.

If we allow this manipulation to continue along its current course,
we will cede the Internet, like so many other previously positive
aspects of our society, to the dark side.

--Lauren--
Lauren Weinstein
Web Flag: http://www.pfir.org/usa-peace-now.gif
lauren () pfir org or lauren () vortex com or lauren () privacyforum org
Tel: +1 (818) 225-2800
Co-Founder, PFIR - People For Internet Responsibility - http://www.pfir.org
Co-Founder, Fact Squad - http://www.factsquad.org
Co-Founder, URIICA - Union for Representative International Internet
                     Cooperation and Analysis - http://www.uriica.org
Moderator, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
"Wired News" Commentaries -
        http://www.wired.com/news/storylist/0,2339,642,00.html
      & http://www.wired.com/news/storylist/0,2339,705,00.html


------ End of Forwarded Message

-------------------------------------
You are subscribed as alberti () sanction net
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/


------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: