Thursday, September 27, 2007

The "Invisible Threat" at the End of the Fiscal Year



It's hard not be cynical these days, especially when you see topics you have some knowledge of (or know the folks that are getting quoted) show up in the media. So the timing of the leaked/intentionally release "staged cyber attack" right before appropriation time makes a lot of sense. Get those earmarks while you still can. "Got to get them Dead Presidents" (to quote Tim Fite.)

From the CNN Story
The White House was briefed on the experiment, and DHS officials said they have since been working with the electric industry to devise a way to thwart such an attack.

"I can't say it [the vulnerability] has been eliminated. But I can say a lot of risk has been taken off the table," said Robert Jamison, acting undersecretary of DHS's National Protection and Programs Directorate.

Government sources said changes are being made to both computer software and physical hardware to protect power generating equipment. And the Nuclear Regulatory Commission said it is conducting inspections to ensure all nuclear plants have made the fix.
And from the AP Story (written by our old friend Ted Bridis, no doubt.)
President Bush's top telecommunications advisers concluded years ago that an organization such as a foreign intelligence service or a well-funded terror group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation." Ominously, the Idaho National Laboratory — which produced the new video — has described the risk as "the invisible threat.
Given that most people in the field know this sort of thing has always been possible, I'm curious why it has taken this long. Why now? Its been a month or two since the Black Hat press cycle? To me the fact that this experiment was leaked/released to the public is either a sign of immense vitality (things could never be better!) or extreme sickness for the SCADA Security community (the naysayers are questioning why so much money is being spent?) If I were forced to pick, I would go for the latter.

To me this attack is more interesting if taken more literally, meaning you don't try to make the stretch against large scale generation assets. How many large data centers have comparable generators and then there is HVAC. With all the focus on Power Grid security and Process Control Security, the folks over the Building Automation Systems are still back in the euphoric glory days of web services and the wonders of TCP/IP enabling embedded devices. If you think about comparable sort of HVAC equipment (or controllers) that are often directly connected to campus networks (nothing like seeing BacNet broadcasts when you sniff traffic on your switch port to make you feel warm and fuzzy.)

If the "risks have been taken off the table" then what is the point of the smoking generator? IMHO, the video was sort of a letdown. And the endgame is not nearly as interesting as the access requirements, components under attack, the messages getting sent, and specific sequence of events necessary to get there.

No comments: