An eye-opening SCADA security demo

by spettit 14. October 2009 03:17
I recently attended the Forrester Security Forum and had the opportunity to watch a demo of the Tofino product by Byres Security (you can see it online here: http://www.youtube.com/user/tofinosecurity#p/a/f/1/G4E0bxZGZL0).  I’d seen the demo up on the monitor of something that looks like a tub of water at other TCG sponsored events but hadn’t had the chance to listen to it and what I heard was fascinating and a little bit scary.  In our deployments of Great Bay’s Beacon for endpoint discovery, we’ve frequently located and identified SCADA/Process Controls systems in our customers networks, but I never fully appreciated the importance of those discoveries prior to seeing this demo.  The discovery and identification of SCADA systems is a good thing in the context of maintaining CIP-002 compliance, but this demo clearly demonstrated that discovery and monitoring is only scratching the surface relative to what’s required to secure these systems.  Without going into too many details, I was struck by the protocols used (ancient), the level of technical expertise required to take full control of these systems (rudimentary), and the profound impact one of these compromises could wreak (loss of life).  For those that have been working on/with SCADA systems, I'm stating what they've known for years, but I can't help but think that as IT security teams become more involved in the securing of these systems, they will be more than a little unnerved by what they find.

Recently, Network World posted an article about someone that pleaded guilty to tampering with SCADA systems after being denied full-time employment (http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.html) and there’s no shortage of press regarding the power grid and its susceptibility to terrorist attacks.  The challenge, of course, is to figure out how much of this is vendor-driven hype to sell more stuff (Y2K) vs. a real threat that requires immediate attention.

Based on what I saw in this demo, combined with comments I’ve heard from companies in a number of industries like “we can finally be compliant with CIP-002” and “now we’ll know how many SCADA systems we actually have”, I’ve come to the conclusion that its the latter.

Tags: , , , ,

Industry standards | SCADA

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Trusted Computing Group - Open Standards - yes / Open Blog - perhaps not

by spettit 8. June 2009 04:41

I recently wrote a blog post at the request of the good folks at the Trusted Computing Group.  After initial confirmation of receipt and acknowledgement that it would be posted, it seems there was some sort of intervention and it was never posted.  I figure the most likely reasons are:


  • it just wasn’t good enough
  • it wasn’t centered enough on TGC/TNC specific matters
  • it didn’t include the requisite amount of TNC cheerleading
  • it lacked tact and was irresponsibly forthright 

 

In any event, I’ve waited a few weeks to see if it would be posted but it hasn’t been, so I thought I’d post it here and you can be the judge.

~~~~~~~~~~

Confessions of an industry standards antagonist

I’m a fan of proprietary solutions.  Being first to market, creating a solution to a problem that had, until then, not been solved is what innovation is all about.  Watching potential customers get excited because someone finally has brought to market a novel approach that solves a real problem they have; that’s what gets the blood pumping.

The problem is, of course that the forces of ‘do more with less’ and the ‘zero day’ IT security landscape make this proprietary chaos incredibly destructive to the folks managing enterprise IT systems.  Consider that the vast majority of IT security systems implemented over the last 10 years (Firewalls, IDS/IPS, Anti-Virus, Anti-SPAM, Anti-everything else, Encryption, Web Proxy, SIM, SEM, 802.1X, NAC etc.) barely communicate with one another and when they do, its most frequently because one of the products can ingest syslog or retrieve and interpret text files.  The resulting system is often one that instead of doing more with less, forces the customer to simply do less.

Industry standards can be a slow process, and from what I’ve seen it requires the patience of Job to navigate the process while balancing a very diverse set of opinions and the requirement to make progress.  However, if industry standards were available and leveraged by vendors in IT Security for information sharing alone, enterprises would experience fewer audit findings, the operation of the IT system would be dramatically more efficient, new technologies would be deployed with less risk, and in a fascinating turn of events; customers would be able to dedicate more time to new and emerging technologies (that’s code for - they’d buy more stuff from the vendors that adopted the standards).

Over the last 15 years the phrase “nobody was ever fired for implementing...”  has been used frequently in a myriad of situations.  My first recollection of this was when folks used to say it about IBM (they don’t anymore), and over the last 8-10 years its Cisco whose name is inserted as the company most likely to help someone not lose their job.  I would say, however that looking back over the last 15 years it’s ultimately even more accurate to say that nobody has ever been fired for implementing industry standards.

 

~~~~~~~~~~ 

Tags: , ,

Industry standards

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (261) | Post RSSRSS comment feed

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

About the author

Steve Pettit is the President of Great Bay Software and can be reached at spettit@greatbaysoftware.com