Re: Foul

[chris () blask org]

--- On Tue, 11/10/09, Ned Fleming <ned () kaw us> wrote:

> You're implying the Brazilian utility story may be a
> cover-up and that the motivation to do so was very high. And further, not
> even the participants in this alleged cover-up would be able to deny
> it was one. Interesting.

No.  I suppose at some level I am implying that it was possible that it could have been, but I seriously doubt that it 
was.  What I am saying is that there are so many ways these systems can fail that it is easy to provide an alternate 
public story that most of the people directly involved with the systems would not be able to discern.  Obviously, 
actual participants of such stories would be aware.

I can see how this could be read as a spiraling conversation about cover-ups and conspiracies (I thought it might when 
I wrote the first comment), but that was not my intent and I'm not likely to pursue such a pointless back-and-forth.  
In the vast majority of cases I am of the opinion that conspiracy theories are absolute bunkum.  However, there are 
some marginal situations where motivation and opportunity do lend themselves to obfuscation.  In this case, it would 
not destroy my world-view if I were to find out that the Brazilian grid operators turned out to be unable to determine 
whether their system was hacked and whether the sub-standard materials were to blame as opposed to someone jacking with 
their transmission equipment causing some of the sub-standard materials to fail - and further that related authorities 
might be tempted to point to said sub-standard materials with a "nothing to see here" declaration.

> Not true for electric utilities. They're spending fortunes
> on NERC CIP. Electric utilities understand FERC/NERC are really
> just getting started. The smart grid ("from the toaster to the
> generator") cyber security standards will make NERC CIP look small.

The grid is making forward strides - which I couldn't be happier about - but as you say NERC CIP will look limited 
compared to more evolved standards.  Major parts of the grid are getting much more resource than smaller parts, as is 
only expected.  But the grid consists of an enormous amount of individual players and the vast majority of those are 
severely challenged.  The scope of the effort to address issues in the grid alone is out of scale with the resources 
available to do so.

Moreover, the grid is only a (very large) small part of deployed control systems.  There are an extremely large number 
of control systems deployed in an enormous range of applications throughout the infrastructure, and beyond some parts 
of the grid virtually none of them are being addressed at all.  These systems are in both 'trivial' and non-trivial 
applications.

> > We need to regularize our approach to CIP cybersecurity
> or we aren't going to make any headway at all.

> I disagree.

You disagree that we need to regularize our approach, or that it is necessary to do so to make headway?

Perhaps I overstated, let me try again:

We need to regularize our approach to CIP cybersecurity or we are extremely unlikely to make adequate headway in an 
appropriate amount of time.

Lessons are being learned, those can be repeated and built upon.  However, compared to standard IT networks (which not 
even I would argue are secured to a highly satisfactory level), control system security is at best underdeveloped and 
underdelivered.

-chris



      
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.