Tuesday, February 12, 2008

SCADA Superheroes!



Continuing on a theme I obviously lack the self discipline that Dale has when it comes to IT vs. SCADA debates as I've been rehashing impossible issues with the SCADA Security Comic Book Crowd over on the new SCADASEC mailing list. Of course it is difficult (if not impossible, but entertaining nonetheless) to have a dialogue with folks that have no idea what you are talking about and are not interested in technical discussions and whose "hearts are hardened" (to get Biblical for a moment) but its been fun to blow off steam (while waiting for the Obama landslide) and sharpen my email skills which have been sort of languishing since I left Cisco. Ah for those happy days of arguing with PSIRT about the dangers of releasing tools that would bring down the Internet.

I did learn that Walt doesn't want me to be involved in securing the refinery "down the street" from where he lives. Well that makes two of us. But of course Jake get's the best line and is once again at least rational.

Matt, I think this point is sort of like asking whether Superman or Batman would win if they got in to a fight. There is no point in asking the question because neither character is real.


See in the upside down of the control systems security not only is CERT arming attackers when they release advisories but the most dangerous enemy is an IT security consultant that has not drunk down the SCADA Kool Aid (patch-free) down in long draughts!


Any security expert who has not carefully internalized these significant differences between enterprise IT security requirements and plant and SCADA security requirements can actually be an active danger to the plant or SCADA implementation-- as dangerous as an uncontrolled attacker.


And kudos to Leif Erickson for being a good sport!

5 comments:

Anonymous said...

I think we need to communicate with the less literate crowd on this issue with SCADA Comics.

In it we'll find cliches such as Torx, the evil script kiddie who lives in his Mom's basement; Fred Einstine, the IT guy who knows too much but whom nobody trusts enough to let him fondle the equipment; Gus Grabbahold, the plant Operations dude; and Sluggo Thinksalot, the controls engineer.

If you're not laughing at these charicatures, you're taking this way too seriously.

It's only life...

Matt Franz said...

Its all good (and comical)

And a fun way to blow off steam because of the "evil IT organization" I happen to work for.

Anonymous said...

Remember... I am an 'evil IT d00d' (l3375p34k, if you dont know it) who works for a healthcare providers here in Chicago, so I get similar comments from work colleagues and internal customers about us 'dumb IT jocks'.

*snicker* I've been called worse, and some of which, I'd rather not say on this blog. ;)

Anonymous said...

What the heck is l3375p34k?

Is that some 3\/1l 50rt 0f h4x0r h4|\|d 5|-|4|<3 or verbiage? Is that the stuff the kids of today are supposed to be using to hide from their parents?

I am just an evil IT guy myself I guess. I have heard and read about SCAN insecurities and how it can impact the worlds critical infrastructure and that can be scary.

I just want to learn with an open mind what I can and where I can. every day needs to be a learning experience or we may be doing somethign wrong. IMHO

With what is going on with the list we have to find where we are different where we are the same and how we can compliment each other. Then we can strive to point out the faults and try to make the world a better place. (sounds like a song about coke or something)

It really does not have to be a wang contest since we all have our own strong points and weak points. But if we do come to an agreement we may be able all forge ahead and for a much better and stable environment/industry that will still need people around to make sure it stays that way.

As it was said it is only life so lets enjoy it with a smile! :>

Matt Franz said...

I'm smilin'