[146762] in North American Network Operators' Group
Re: First real-world SCADA attack in US
daemon@ATHENA.MIT.EDU (Jen Linkova)
Tue Nov 22 00:25:51 2011
In-Reply-To: <4ECAC426.9090203@amplex.net>
Date: Tue, 22 Nov 2011 16:24:59 +1100
From: Jen Linkova <furry13@gmail.com>
To: Mark Radabaugh <mark@amplex.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Tue, Nov 22, 2011 at 8:35 AM, Mark Radabaugh <mark@amplex.net> wrote:
> Having worked on plenty of industrial and other control systems I can saf=
ely
> say security on the systems is generally very poor. =A0 The vulnerabiliti=
es
> have existed for years but are just now getting attention. =A0 =A0This is=
a
> problem that doesn't really need a bunch of new legislation. =A0 It's an
> education / resource issue. =A0 The existing methods that have been used =
for
> years with reasonable success in the IT industry can 'fix' this problem.
I agree, it is mostly education and resources issue . But the
environment of control networks is slightly different from IT
industry, IMHO.
1) control network people have been living in a kind of isolation for
too long and haven't realized that their networks are connected to Big
Bad Internet (or at least intranet..) now so the threat model has
changed completely.
2) There aren't many published cases of successful (or even
unsuccessful) attacks on control networks. As a result, the risk of an
attack is considered to have large potential loss and but *very* low
probability of occurring and high cost of countermeasures =3D>
ignoring..
3) Interconnections between control networks and "normal" LANs are a
kind of grey area (especially taking into account that both types of
networks are run by different teams of engineers). It is very hard to
get any technical/security requirements etc - usually none of them
exist. And as the whole system as as secure as the weakest element....
the result is easily predictable.
4) any changes in control network are to be done in much more
conservative way. all those "apply the patch..oh, damn, it
crashed..rollback' doesn't work there. In addition (from my experience
which might not be statistically reliable) the testing/lab resources
are usually much more limited for control networks;
5) as the life cycle of hw&sw is much longer than in IT industry, it
is very hard to meet the security requirements w/o significant changes
to existing control network (inc. procedures/policies) - but see #4
above..
So there is a gap - those control networks are 10 (20?) years behind
internet in terms of security. This gap can be filled but not
immediately.
The good news that such stories as the one we are discussing could
help scary the decision makers..oops, sorry, I was going to say 'raise
the level of security awareness'
--=20
SY, Jen Linkova aka Furry
