Sunday, December 02, 2007

Control System Security: Two Man Enter One Man Leave

Because I know a lot of the players and because its sort of quaint, I continue to follow the trials and tribulations of "SCADA Security" community I used to be part of while I was at Cisco and later, Digital Bond. I'd love to do the color commentary, but I'll just hit the highlights and let you make up your own mind. But believe me I am biting my tongue.

I'm assuming this whole spat started with Dale's Blog on a Wonderware NetDDE Vulnerability which led to Joe's Weiss Cybersecurity disclosures– the game everybody can play:

The way that the cybersecurity establishment has presented the Wonderware disclosure on the Digital Bond website clearly shows the lack of control system expertise in the cybersecurity “industry.” It IS an industry, and it is filled with people from IT security and cryptographic analysis backgrounds who have rarely, if ever, set foot in a control room for a process plant, refinery, or power plant.

It isn’t enough to be able to understand a vulnerability. It is every bit as important to understand the relative danger of the vulnerability IN CONTROL SYSTEMS. For example, the Wonderware disclosure isn’t very dangerous. Why not? Because the vulnerability disclosed is limited to a very small population of control systems using an outdated version of the Wonderware software. Like the ICONICS issue, revealing a vulnerability without a corresponding assessment of its impact is not only detrimental, but could be viewed (and certainly would be by Wonderware and ICONICS, for example) as unnecessarily injurious to their brands.

Which was followed by an exchange between Dale and Walt that almost didn't happen.
We have a serious problem in cybersecurity in control systems…we don’t have enough “cybersecurity experts” who know anything about process control or factory automation. We have a bunch of soi-disant experts who descended on control systems (remember, they’re the guys who thought every control system was “SCADA”?) because they saw a big market, and have been spreading FUD ever since. Recently, a Wonderware vulnerability has been disclosed, and the disclosure is making the rounds. Several months ago, an ICONICS vulnerability was disclosed, causing ICONICS significant distress. Why? Well in both cases, the vulnerability was, although accurately described, not dangerous.

Followed by Walt's attempt to trick Dale (and preach to the choir) on the Australian SCADA Mailing List

Since you have referenced the exchange Dale and I have had on my blog, I'm curious to hear YOUR answer to the question I kept asking Dale, and he kept not answering.

Here's what I asked, repeatedly. "Do you disagree with my premise: that in order to adequately advise people about cybersecurity in the process industries, significant familiarity with those industries and control systems is required?"

Dale didn't answer. I'd be delighted to hear others' answers.

What's behind all of this. Maybe we we are at a tipping point of some sorts. a power shift? All this talk of "the establishment." Perhaps we are at that point in martial arts movies where blood is dripping down over one of the fighter's eyes and he starts to get desperate and defensive. And then swing wildly. This is also before he cracks his neck with his hands and motions with both fingers to "bring it on." Before getting kicked in the head. And then the credits scroll.

Or perhaps it is just the same inane "IT vs. SCADA" conversation that has been raging for the past 5 years.

Yeah Jjakpae is an awesome Korean martial arts (taekwandoe) movie. A must see.

No comments: