CSIS Report: Securing Cyberspace

Re: CSIS Report: Securing Cyberspace

Depends on your filter; 252 articles about how someone might hack SCADA wouldn't be too interesting...

Re: CSIS Report: Securing Cyberspace

If anyone is interested: I've compiled 252 pages of news articles related to SCADA hacking into one big PDF ordered by year of publication (2009 - 2001).

I can post it somewhere if you want to read it.

Re: CSIS Report: Securing Cyberspace

I just attended a seminar put on by the company from which we purchased our SCADA software. It was pretty much a 'rah-rah' session regarding a new product release. I believe I was the only end user there everyone else was system integrators or sales people.

You can tell that 'security' is the buzz word of 2009 in relation to security. He mentioned it about a billion times, but never actually defined what kind of security they employ.

The funniest yet scariest part of the presentation was when he was talking about a new file format they use for their new release, which happens to be a derivative of XML. During his spiel he states "...and since it's a text file, it's secure".

I about jumped out of my seat at that point, but held back as I wanted to hear more of the magical secure text file. The other part that I got from this is it seems as though automation engineers still see general IT as their enemy, and firewalls are something that needs to be bypassed because they interfere with SCADA communications.

I think that automation engineers need to spend more time working closely with IT so that they understand why IT insists on having security measures in place.

Re: CSIS Report: Securing Cyberspace

That was fixed line. It really wasn't worth my time even calling the guy back to tell him how annoyed I was at the price.


I believe that Meatspace security is actually the bigger threat than attacks over the Internet. Most PU assets aren't guarded, have little security and whatever security they do have is easily breached. Of course, attacking a physical location has a greater risk associated with it than coming in across the wire.

One could definitely do more damage at a site in person than across the wire.

Re: CSIS Report: Securing Cyberspace

I suppose we (the UK) have a legacy of centralised, publicly owned utilities which probably cancels out that factor to an extent.

Fixed line, or was that over GSM/GPRS or ISM band?

I was wondering if the US has an equivalent of the UK's CPNI, or does that fall under the NSA?

While I was noodling about I found a bunch of other documents, precursors to the one in the OP, that might be of interest: Here.

I can't help thinking it's all a bit academic when you consider that last month some gonk was able to wander in to a turbine hall, crash a 500MW genny, leave a card and wander out again undetected.

I await the 'Securing Meatspace' report with baited breath.

Re: CSIS Report: Securing Cyberspace

Since there is no one at these remote facilities, that's not really a concern. All the extra ports on the router are disabled, the ports that are plugged in are monitored by the NMS which sends out alerts if something goes offline.

I am budgeting this year to install remote IDS sensors at these sites as well. Plus, my users here are actually pretty good, I haven't had a real issue of someone doing something they're not supposed to in about 2.5 years. I've spent an extensive amount of time on training, so things have actually been pretty good in that respect.

AP's aren't a concern because wireless is verboten.

(Remind me to tell you about a contractor that got caught by my NMS at Shmoo)

Re: CSIS Report: Securing Cyberspace

and all it would take would be one simpleton at a remote facility to think "instead of using my AOL dial-up, i'll just hop on the office broadband to download my NetFlix nonsense when i'm at work"

either an infected laptop or a rouge AP and that's almost game over right there, potentially... eventhough this person wouldn't actually be reaching the internet, i'm sure they would keep trying over and over. heh... think of users whose print jobs don't happen right away.

Re: CSIS Report: Securing Cyberspace

Much of it is because each PU/Municipality is responsible for finding their own solutions for linking their assets together. In regards to Municipalities doing this (think water and sewer), many times they're stuck dealing with contractors whom they feel they have to trust because they themselves don't know any better. Many smaller Municipalities are struggling just to pay their staff, so many times they don't have the money to test their own systems for security.

It would be great if there was another "internet" that public entities could use that was segregated from the rest of the world, but I don't see it happening anytime soon. Since the only real solution to this would be to run a completely second set of fiber/cable everywhere and then double up on attached equipment. Then managing this network and billing for all the thousands of groups that would need access to it would be an absolute nightmare.

Other solutions that are not using the internet are either not cost effective or do not provide the bandwidth needed. Early last year I looked into an MPLS system to link my 40 sites (which are all local) together via 56K connections. They wanted $9000/month for this. Which 56K would have been enough for the most basic of service that I needed at these sites, it would have left no room for expanding those services down the road. I did have Leased lines in some sites, and for those I was paying around $350/month for a 56K connection that I was lucky if I could get 1200 baud out of it.

I have since dropped those leased lines and I have established a VPN network using local ISP's as my backbone, because it was the most cost effective way to get connections plus the bandwidth I needed.

Re: CSIS Report: Securing Cyberspace

Apologies for grave-digging the thread, I only just read the article.

It appears that the conclusions drawn by the CSIS are broadly similar to those arrived at during a project that the UK Government ran a few years ago under their 'Foresight' program: Cyber Trust and Crime Prevention.

The conflict between 'security' and 'liberty' at the time concerned me, as the issue of authentication had huge implications for some of the community wireless networking stuff I was into at the time (see consume and SOWN).

This was before broadband penetration had reached much of the UK (and before I could get 2+Mbit out of my mobile for £5 pm ), so over time I've lost track/interest in the projects and the issues that arose, but the conflict clearly still exists.

There's a short paper on ethics that came out of that 'Foresight' project (here) that I thought summed it up well:

I see the 'economic' rationale for utilising public networks for infrastructure SCADA etc, but I never really understood why such traffic couldn't be routed through existing 'secure' channels, such as the UK Police TeTrRa system, or even utilise it's own dedicated network, as they did for the ANPR cameras. It's got to be easier and more effective than trying to lock down the entire net.

Re: CSIS Report: Securing Cyberspace

I'm in the process of crafting a good post for a thread for /dev/random. I'll send you a /msg about it at some point in the near future.

I don't think that's needed.

Oh... I thought that was already understood?

Re: CSIS Report: Securing Cyberspace

Hey! You could be the welcome wagon in /dev/random! You can set a sticky and let people know that you (and anyone else that volunteers) is ready and waiting to help people with with questions.

Sure! You could start a thread about that, and volunteers could respond to this thread stating their intention to also volunteer, and then you and anyone else that responds to that thread can all take such questions by PM! You and other volunteers can fight the system by volunteering your time to help new users with any kinds of questions they might have, and do it all by PM. If you really want to do this, I can make sure PM support is available to all users right when they sign up, with no waiting.

If you think I am joking about this, I am not. If you seriously want to see these changes, you can use the above to create a grass-roots movement to help the newbies, and new users through PM.

Moderators have finite time, and they have to contend with the following:
"Wants are infinite, but resources are finite."
"Actions speak louder than words."

Just because some mods don't have enough free time to support such a system doesn't mean that you and others shouldn't. Use of PM would make this possible,



It will be one more day before the mods have their decision on a newbie forum.

The results of adding a strictly, "Hi! I'm New!" forum just for people to introduce themselves was not supported by even a large minority of moderators, and without support from at least a few highly-available moderators to maintain a forum, any such forum would fail to disrepair.

The only items being discussed now by moderators are:
Converting /dev/random into a "Newbie Forum"
Making a new Newbie Forum which has the same rules as /dev/random
Having a "fake" forum called, "Hi! I'm New! This is my Introduction" (or something similar) which is really is link to each user's blog. This lets people introduce themselves in their blog and lets anyone interested enough in someone to read about them a place to go see any introduction they may have posted.
(These were based on items suggested in the other thread.)

I'll post the results to this last batch of items being discussed by mods tomorrow night.

(Want me to copy this and your reply over to the Newbie Forum discussion thread? I don't care if you want to fork this thread, as it is one you started. ]:> )

As for elitism: You're just saying that because you think you're better than us.

Re: CSIS Report: Securing Cyberspace

Yea... I've got a great idea. Maybe we should create a newbie forum, all new members can be automatically subscribed and only those members who wish to view it can. Then we'll be able to save our PM's as well as the rest of the forum from being overrun by "teach me to hack" posts. And we might even be able to help a few n00bs why we're at it.

Ah well, that'll never happen. It's much easier for everyone to be elitist...

/me shrugs.

Re: CSIS Report: Securing Cyberspace

Did you finish your PM spree asking people how to hack?

Re: CSIS Report: Securing Cyberspace

https://forum.defcon.org/showpost.ph...1&postcount=13

Re: CSIS Report: Securing Cyberspace

How would 'hacking the national grid' give one access to all the computers on the planet? It's a National grid, not a world wide grid. Do you eve have the remotest clue as to what grid you're even talking about.


Websites are really the least of the concern in what they're talking about, even though the media likes to bring them up because the average person understands them. The bigger concerns are people actually infiltrating the control networks for public utilities. I could care less if some ub3rl33t hax0r defaces someone's website. I'm more concerned that a foreign government is paying large groups of blackhatters to shutdown power plants, reverse the flow of pumps or reroute trains.