funsec mailing list archives
Re: Foul
From: chris () blask org
Date: Tue, 10 Nov 2009 13:12:02 -0800 (PST)
--- On Tue, 11/10/09, Ned Fleming <ned () kaw us> wrote:
You're implying the Brazilian utility story may be a cover-up and that the motivation to do so was very high. And further, not even the participants in this alleged cover-up would be able to deny it was one. Interesting.
No. I suppose at some level I am implying that it was possible that it could have been, but I seriously doubt that it was. What I am saying is that there are so many ways these systems can fail that it is easy to provide an alternate public story that most of the people directly involved with the systems would not be able to discern. Obviously, actual participants of such stories would be aware. I can see how this could be read as a spiraling conversation about cover-ups and conspiracies (I thought it might when I wrote the first comment), but that was not my intent and I'm not likely to pursue such a pointless back-and-forth. In the vast majority of cases I am of the opinion that conspiracy theories are absolute bunkum. However, there are some marginal situations where motivation and opportunity do lend themselves to obfuscation. In this case, it would not destroy my world-view if I were to find out that the Brazilian grid operators turned out to be unable to determine whether their system was hacked and whether the sub-standard materials were to blame as opposed to someone jacking with their transmission equipment causing some of the sub-standard materials to fail - and further that related authorities might be tempted to point to said sub-standard materials with a "nothing to see here" declaration.
Not true for electric utilities. They're spending fortunes on NERC CIP. Electric utilities understand FERC/NERC are really just getting started. The smart grid ("from the toaster to the generator") cyber security standards will make NERC CIP look small.
The grid is making forward strides - which I couldn't be happier about - but as you say NERC CIP will look limited compared to more evolved standards. Major parts of the grid are getting much more resource than smaller parts, as is only expected. But the grid consists of an enormous amount of individual players and the vast majority of those are severely challenged. The scope of the effort to address issues in the grid alone is out of scale with the resources available to do so. Moreover, the grid is only a (very large) small part of deployed control systems. There are an extremely large number of control systems deployed in an enormous range of applications throughout the infrastructure, and beyond some parts of the grid virtually none of them are being addressed at all. These systems are in both 'trivial' and non-trivial applications.
We need to regularize our approach to CIP cybersecurityor we aren't going to make any headway at all.
I disagree.
You disagree that we need to regularize our approach, or that it is necessary to do so to make headway? Perhaps I overstated, let me try again: We need to regularize our approach to CIP cybersecurity or we are extremely unlikely to make adequate headway in an appropriate amount of time. Lessons are being learned, those can be repeated and built upon. However, compared to standard IT networks (which not even I would argue are secured to a highly satisfactory level), control system security is at best underdeveloped and underdelivered. -chris _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Foul, (continued)
- Re: Foul chris (Nov 10)
- Re: Foul Ned Fleming (Nov 10)
- Re: Foul chris (Nov 10)
- Re: Foul Ned Fleming (Nov 10)
- Re: Foul chris (Nov 10)
- Re: Foul quispiam lepidus (Nov 11)