Re: CNN's Cyber Shockwave

"Am I the only one that seems to have a problem with mounting a cyber attack, as well as an attack against the power grid, at the same time? The two seem mutually exclusive. You want to keep systems on during a cyber attack, not turn them off."

Thats a great point. However wouldn't cutting the power work if you were trying to hurt a target economy financially? This could be a local, state or federal economy.


"We have Offensive Cyber capabilities; do we?"

We're getting better with offensive capability..
http://www.mysanantonio.com/news/San...r_command.html


********Small clip from the above site***********

By Gary Martin - Express-News

WASHINGTON — Lackland AFB in San Antonio is being selected by Air Force officials as the headquarters for a new cyber command, an official close to the selection process said late Thursday.

The Air Force is expected to make the selection official today, but lawmakers representing states and cities with potential sites were being notified in advance of the announcement.

Lackland was selected by the Air Force as the best of several other candidates for the headquarters, which would mean an influx of infrastructure, security and 400 staffers.

The headquarters will include the commander's staff and an operations center.

The operations primarily will focus on defending Air Force computers against cyber attack and preventing computer disruptions.

*********************

"Our government will crap it's pants for at least the first 2 hours. "

If the attacker gets us by surprise I agree with that statement 100%

/r
Happypanda

Re: CNN's Cyber Shockwave

I did not get to see the CNN special because I do not have cable/satellite. Does anyone know if it will be on their site or if it has made its way to YouTube?

happypanda, CYBERCOM exists, but it is still off to a shaky start. Right now they have limited resources and limited capabilities. And although the military is making progress, the government itself as well as both federally and privately administered aspects of the critical infrastructure are still quite vulnerable. For decades, the US did not take the threat of computer-based attacks seriously, and now we are having to play catch-up.

xor, although I did not see the special, I read an article about the scenario used. It did not sound like a very likely one to me either.

Re: CNN's Cyber Shockwave

I couldn't agree more. We are behind.

Re: CNN's Cyber Shockwave

Oh? In what way are we behind? Do you really understand what is needed to maintain huge installations of industrial automation and all the aspects of upgrading things to new technology?

Industrial Automation isn't upgraded in similar intervals to standard IT stuff. PLC's and such are installed and expected to be running for 20 to 30 years. IT stuff lifespan might be 3 to 5 years, 7 at the outside. Attempting to bring all IA stuff up to modern levels is incredibly expensive and time consuming considering that you expect to have electricity 24/7/365.

Let's take my small installation as an example. We have 10 PLC cabinets at our plant and another dozen or so scattered among other installations. Each cabinet costs around $50k - $60K to purchase and install. If we were to replace them to bring them up to modern equipment, that would cost us about $1.2M. That's money that isn't planned for. Now start doing the math to try to bring the hundreds of thousands of cabinets like that across the country that would need to be brought up to date. Now you're talking about costs into the billions, not to mention the time involved. Companies purchase equipment like this knowing that it's meant to be in service for years, and when much of the current equipment was installed, no one had given a thought about issues like we're facing today.

So yes, we're behind, but to quote _The Postman_, "things are getting better, things are getting better every day".

For now those of us working in the field are making every effort to secure the systems as best as we can and budget will allow. But the actual bigger issue that I see with all of this is everyone wants to bitch and complain that these systems shouldn't be connected to the internet to begin with, and yes, I agree. But when that's the only cost effective alternative to what phone companies charge for things like leased lines and point to point T1's then sometimes a point to point VPN over common ISP's is the best solution.

Re: CNN's Cyber Shockwave

streaker69, I hope you didn't think I was trying to diss you. I did research on this sort of thing for one of my papers last semester, and although I am sure what I saw was only the tip of the iceberg, it sounds like lack of funds + difficulty in bringing systems down for upgrade + all the other stuff you said are factors that make these systems difficult to update and secure. Unfortunately these are also factors that are not likely to change any time soon. I hope there are more guys out there like you who are trying their best to make things as secure as possible, but from the stuff I read, it sounds like most of those running SCADA/industrial/critical infrastructure systems are inadequately trained and have a lack of security awareness. It also sounds like those same guys as well as the federal govt lack severely in the area of an incident response and contingency plan. I would actually like to hear more of your thoughts on this.

Re: CNN's Cyber Shockwave

Nope, didn't think that at all. I was more annoyed at the useless post of the person I directly replied to. It was more of a "me too" than anything else. Seemed as though he was agreeing for the sake of agreeing without knowing why he was agreeing.

The media of course likes to cater to the 'lay people' who don't understand what it takes to maintain these systems. Most 'lay people' think that it's just a matter of replacing a couple of PC's and patching an OS, when in reality it's several orders of magnitude more complex than that, and incredibly costly.

Re: CNN's Cyber Shockwave

To put that in perspective, a good chunk of such equipment out there is older than many of the regulars on these forums, and hasn't yet hit EOL.

Mainly because those issues hadn't yet been invented.

While parts of the DARPAnet extend back to just over 40 years ago, the Internet in its present public form didn't really become a popular until about 1995; only fifteen years ago. In fact, as late as ten years ago, some people were still undecided as to whether it would really be useful. So essentially, in the last decade, we've dumped a lot of connections over onto the Internet using equipment that has never been designed to be on a public network, and the underling design of that equipment may date back at least three or four decades.

In hindsight, connecting up this infrastructure equipment may be a mistake without a more thorough security analysis, but as streaker69 points out, it has been done for very good reasons, mainly revolving around cost savings and extended remote control.

Re: CNN's Cyber Shockwave

There's another issue that I didn't really address either. Many times these devices got thrown on the internet without a thought about security because they were put there by Industrial Automation Engineers (No offense to Beakmyn intended), but many of those guys don't know the first thing about IT security and good practices. They just know they need something connected and they find a way to do it.

Too many times the IA engineers don't talk to IT and will order telephone lines for a direct link to switchgear, they'll connect job trailers with PC's in them to PLC's via wireless running WEP or no encryption. These guys many times see IT security as a hindrance to the work and resist even implementing some of the simplest of policies.

There is a concerted effort among the community to start getting IA and IT working together but so far it's been a slow process.

Re: CNN's Cyber Shockwave

If you haven't watched this TED talk by Marcus Ranum, you really should take the time and check it out. http://www.youtube.com/watch?v=o59mQhBiUo4 If you want to really understand why some of the things that are done today, take a gander at his one example of how f'ed up HTTP is as a practice.

I don't have primary responsibility of SCADA systems at my job, but I am responsible for their security interactions with the rest of the company and can fully support Thorn's and Streaker's comments. In just oil and gas companies, there are systems that easily date back 20-30 years and the latest technology just encapsulates serial communcation over Ethernet. There's just some things you can't "protect" in a conventional sense, where proper practice, process, and isolation are your only tools.

Re: CNN's Cyber Shockwave

And to build on this, even some of the brand spankin' new equipment you get in still doesn't have security in place. I have some brand new PLC's of a major brand that have severe security issues in them. These are things that should have been resolved but they're still building them with problems. All we can do is harden the perimeter and keep a close eye on everything.

Re: CNN's Cyber Shockwave

Streaker69: I understand where you are coming from. I do understand some of the logistics. ADA was correct in the fact that she said "the government itself as well as both federally and privately administered aspects of the critical infrastructure are still quite vulnerable" She was simply correct. I wanted to make it a point that I agreed and didnt see a need to support that statement with fact. Ill work on that in future posts.

As an example about our vulnerability: Try to report your systems got hacked to the local police department. They wont know what to do. This type of thing has only recently been reportable to the highest levels of gov't like the FBI and the secret service in some cases. Even then if its a single incident they usually wont waste their time. We are behind in the fact that our lower levels of government dont usually investigate cyber crimes. This is only a small part of the reason that our infrastructure is vulnerable. I did post about cybercom and how we are "getting better" with our offensive stance on cyber security. I was glad to post that because it shows we are going in the right direction. I also think its important to note that we are still behind. If we maintain or develop a mindset that we are ahead of the game when it comes to cyberspace, we will most likely be setting ourselves up for failure due to our over-confidence.

Once we get the ability to conduct investigations into cyber attacks at low levels of government and make them available to the public that have been attacked, we will be a world ahead of the competition. Until then, when the only support exists in the DoD and there is no chain of communication from lower echelons about cyber attacks we sure are making things difficult for ourselves. But again we are going in the right direction and as a veteran Im sure as hell glad to see that.

Re: CNN's Cyber Shockwave

I'm curious as to what country has local LE that is able to investigate complex hacking, do you have an example of one? If not, then we're not really behind, since no one else has it either. Local LE's generally are not staffed or funded for such things, and if you think that they should be, then be prepared for a severe tax increase. Attacks should go through the departments that have the resources, like the FBI, and SS.

No one working in the field is over-confident that we're ahead of the game. We know we're behind, but there's really not much that can be done about it quickly. It takes a great deal of time and planning to implement security processes that don't break the system.

I don't think that we should be working towards lower level investigations, as lower levels just don't have the resources for it. Most local LE's now when they have a laptop that needs to be investigated they send it out to the State PD crime lab for the work to be done, and the turn around there is 3 to 6 months due to backlog.

There is an organization that you could join if you work for critical infrastructure that does filter information down to their members and for passing information up the chain.

Re: CNN's Cyber Shockwave

Australia has a somewhat more established system than we do when it comes to reporting that stuff to local LE. An individual can report a cyber attack to local LE then (as a similar chain to what you stated) that is logged and reported up to a state authority. That state authority then investigates the attack to see if it is associated with other incidents or if it is a single incident. In the case its associated with identity theft or a series of events the AFP (Australian Federal Police) become involved.

So there still is not much ability to do the actual investigation at the local level. The process is implemented well throughout the country though.

Re: CNN's Cyber Shockwave

...and the same holds true in the US. If you report an incident, you should not be expecting your local LE to investigate but report up the chain. To quote your previous post:

They shouldn't be investigating such things as most of the time, they wouldn't have the jurisdiction to do so, considering the attacks most of the times cross state lines as well as international borders. You should also not be reporting such things to normal uniformed officers, but to the detectives. I've always had good luck in reporting anything that I needed to local departments, and they've always been professional and if they weren't sure what to do at first, they made some calls and determined what was needed to be done. Which is exactly as it should be.