funsec mailing list archives
Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)]
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Sat, 30 Jun 2007 15:35:21 -0400
I think what disturbs me most about this is that we were having this exact same discussion in 1999 and we're almost a decade out PAST 9-11 and they're still not fixed. On 6/29/07, Dave Paris <dparis () w3works com> wrote:
It's not the meter reading portion of the links that scare me as much as remote access to substations, grid interconnect points, etc. I've seen systems as Ferg describes below and utterly simplistic dial-in, unauthenticated systems... no dialback, zippo. Utterly insane. Best~ -dsp Paul Ferguson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > [...] > > True enough. > > I've a number of conversations with several people on this issue > in the past few months that go something along the lines of: > > Me: "You'd be shocked if you knew the extent of the problem." > Them: "Huh? Aren't critical systems like electrical power, etc. > not connected to the Internet?" > Me: "You'd think they wouldn't be, but you'd be wrong." > > Some astoundingly stupid business decisions may put critical > infrastructure at risk? > > How you ask? > > Consider this simple scenario. > > A regional electric company wants to remotely read residential > meters for electric consumption, but does not want to invest in > installing their own infrastructure (read: laying new fiber or > hybrid-fiber coax [HFC]) to do so, and makes a business decision > (everything boils down to dollars and cents) to use existing > infrastructure (read: Internet VPN-style connectivity) to accomplish > this feat. > > Boggles the mind, eh? This exact scenario exists today. > > - - ferg > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.6.2 (Build 2014) > > wj8DBQFGhce6q1pz9mNUZTMRAraOAJ92XQnd46go/1yCrWqecfsR3yp2twCfd2vk > 3KWRtJAQkmMry0FZ+Ot92M4= > =GT/R > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Paul Ferguson (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dave Paris (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Valdis . Kletnieks (Jun 29)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] B.K. DeLong (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Brian Loe (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dude VanWinkle (Jun 30)
- Re: Bad (Insecure) Business Decisons [Was: Re: IPv6, C&C (not bot nets, coffe and cats)] Dave Paris (Jun 29)