Who's vulnerable-- is anybody NOT? #pauto #scadasec #pjcoyle #cybersecurity #ics #stuxnet

Submitted by waltboyes on Thu, 10/28/2010 - 22:00.

P J Coyle has an interesting article on his blog:

http://chemical-facility-security-news.blogspot.com/2010/10/who-is-responsible-for-ics-security.html

Couple of things he says, though, should be taken issue with. One is that not every industrial facility with a control system needs to worry about an attack. He specifically mentions food processing. In 2009 at AutomationXchange, in a discussion about cybersecurity one of the attendees said, "I never thought anybody would attack us. We just make [snack foods] for pete's sake! But the guy is now in Federal prison. He was a disgruntled employee."

The other unstated assumption Coyle makes is that any cyber incident has to be externally caused ( i.e., terrorism). There have been over 100 cases where significant harm (including deaths and injuries) have resulted from cyber "oopsies" and the end result of such accidental cyber incidents is essentially indistinguishable from the end result of a cyber terrorist attack.

Much of Coyle's commentary is spot on. But there were those couple of things that were unspoken assumptions that needed to be challenged.

Login or register to post comments
2052 reads
Permalink
2 comments

Why Did Stuxnet Happen

Submitted by ab3a on Fri, 11/05/2010 - 18:25.

I won't agree or disagree here. I merely want to make some observations:

Let's assume for the sake of argument that the attackers were either the US or Israel, and that the target was the Uranium Enrichment facility in Iran. It is likely that neither were willing to expend the political capital or the backlash of a direct military attack. There was no physical access.

This is why the cyber attack became likely. Other avenues of action were not nearly as practical.

That is not the case for most utilities in Western countries. Physical attacks are very practical. What if the guy who took an axe to the UPS at Cal ISO had coordinated with a companion at the backup site? What if someone coordinated attacks against a few very large transmission lines?

The things that should keep us up at night are all threats, Not just the cyber threat. Also, many hackers may be reluctant to write viruses against common ICS hardware because they know that their attack will spread and may very well blow back upon them. People like their running water, heating, and electricity. It's funny when it happens to someone else, it's not so funny when the attack is traced back to you and oh, by the way, it spreads well past the intended target and affects your utilties too.

Yes, everyone is vulnerable. And that may be the one reason why very few hackers have invested much effort in writing a virus that would take down the power in their neighborhood.

Everybody is

Submitted by Ralph Langner on Fri, 10/29/2010 - 12:40.

Two things. First, Coyle's following observation should be read three times by everyone:

"The comments that it must have been a nation-state attack on a politically motivated target just re-enforces the perception that most domestic industries simply don’t have to worry about such a sophisticated attack against their facilities. After all, there is nothing that they have done that would attract the ire of the US or Israel or any other computer savvy country."

This is a notion that I predicted early; it was the premier reason why I did not answer interview requests at WeissCon because the media was focusing on the cyberwar aspect of Stuxnet while we in the community were concerned about the broader issue of easy copycats. Joe will remember this vividly because he acted involuntarily as my press agent . It happened anyway. Everybody willing to argue risk away will find a reason for it. A nation state won't attack us, so we keep doing nothing.

The point where I agree with Walt is, everybody is vulnerable. Coyle approaches the issue from the threat side, focusing on targeted attacks, like cyber terrorism. After Stuxnet, this has become much more realistic, because terrorists, as any other would-be attacker have learned that the key issue in a cyber attack against an air-gapped facility is to get thumb drives into it. Let's assume you have any insider in the target with no technical knowledge but the ability to plug a thumb drive into ANY system attached to the PCN, you're in business. One other point that Coyle seems to ignore is that the average hackers will write malware that attacks controllers, without any interest to hit a specific target. Just see how much damage you can cause; the more, the better.

About This Blog:

Control's editors weigh in on all things that catch their fancy--mostly process engineering topics, but with an occasional detour into some interesting byways on the information superhighway.

	reads
The first annual Manufacturing IT Forum brings great content, no attendance	63850
If you can't read a P&ID diagram, you need this self-study course	37014
Loop checking and field instrument testing procedure	26328
Water System Hack - The System Is Broken	26308
Directory of Lost Companies	22931
List of Companies	17462
Paulett Eberhart leaves Invensys	16335
Involving Operators in HMI Design	15744
The Directory of Lost Companies	15448

Search Posts

more tags