Wednesday, January 02, 2008

21st Century Ethernet, False Prophets, and other Absurdities



Once again the SCADA Mailing list provides lots of heat but little light. The thread started out mysteriously enough with myrcurial's assertion that in '08 SCADA was just but too lame to bother hacking (on a related note check out Dale's recap of Ralph Langners view on CCC Hacking SCADA) degraded into the usual whining. Much like the Obama vs. Clinton, a lot of the argument falls out based on age and experience, with some of the more senior folks having some crazy ideas not based in reality. I swear I heard the dumbest Hillary supporter on All Things Considered this afternoon, you know the one that wanted Hillary right after Bill.

As much as I tried,there is nothing to say here except to ponder each of this and their ironic potential, especially when taken out of context:

"we have met the enemy and it is Ethernet."

More and more, thanks to very clever marketing departments, customers are ever more eager to convert their "old" industrial control networks to Ethernet. Perfectly adequate systems that are running isolated and safe.

Whuy? Well, Ethernet is just so cool, so 21st century. Web browser interface, etc... What could be cooler? Techs and engineers want to work with the latest technology, it improves the resume, makes one more marketable, right?

What results from this rush to Ethernet?

Well, for one thing, there is clearly a lack of decent IT talent to maintain that many critical SCADA systems (many existing personnel can barely understand serial networks - believe me, 25+ years in the business - I know.)

Ethernet invites connection to company LANs through firewalls.

Firewalls get penetrated due to the same lack of IT talent to maintain their robustness.

Joe Weiss speaks the truth. The you-know-what is going to hit the fan, it's just a question of time.

1 comment:

ab3a said...

Matt, if the SCADA whining looks bad from your end; believe me, it looks no better from my end.

Much of this is posturing so that people can get support and money. The assertion that a technology has caused the problem always bothers me. Security is not about the technology. It's about a person's use of the technology. Ignorance is no excuse. Blah Blah Blah...