This doesn’t excuse the vulnerabilities. There should be no way someone gets to a reactor from the outisde — internal pentests are a little more understood from the hard crunchy shell and soft chewy center that nearly all organizations represent. However, it’s what your capabilities are in the LAST MILE that matter. I think the picking a book up at your local bookstore to own a power grid is a gross overexaggeration, because most of the world would not have any capability once they actually arrived at the SCADA network. THIS is the topic that is of the most scrutiny as it is built up from proprietary and non-proprietary protocols where device control is contingent on fast and accurate which is diametricallly opposed to security/encryption. We are seeing that change. This is great, but I know there are a lot more attack metrics due to the amount of complexity some of these protocols provide… self-propagating metrics in some cases… but I don’t mind to end this comment on a vague note. There is just a lot more to explore then what was offered. *Everyone* (both IT and SCADA industry) already knows how bad security is in the Critical Infrastructure. Anyone that hasn’t just hasn’t seen a SCADA talk in the last 5 years… that’s all. Therefore the talk is another notch on the bedpost from a credible source, but the end result is no news.

I’m beginning to believe that demo and extra content aside that I would still be saying the above statement.

I saw you linked to my blog post. Robert Graham’s slides in the Black Hat book and CD were much shorter than his actual presentation, which you see I attended. Sure, there weren’t really any technical details. Instead, Robert Graham presented just how bad the SCADA world looks when seen through the eyes of his pen testing team. He presented a dozen case studies based on his ISS pen testing experiences, plus a few more details not listed in the published slides.

This was my first real exposure to SCADA issues and it scared the heck out of me. It’s like the .mil in 1996.

Great blog, by the way!

TaoSecurity
and Security Fix

- the slides did a good job of proving the point in the title

- our experience is the control system owner is not “typically clueless”. They bring ISS, Digital Bond or others in because they know they have a problem and need some help. They attend courses, note some of the SANS courses are sold out, for the same reason. We need to be careful that we do not overhype the current situation. Some asset owners have been working on this for years and would impress most security professionals with their program. For example, I would hope the security posture was improved at the asset owners that were used as examples after the assessment.

- Interesting that the presentation did not include any real SCADA knowledge in the attack scenarios. There are a lot of ramifications, pro and con, about this.

I’ll admit I’m tired of hearing the sky is falling and reading diaster stories — i’ll take interesting offensive or defensive attack scenarios, but I heard neither. Reality is this is a traditional IT security talk dressed up in a SCADA suit with all the appropriate scary buzzwords in place like power grid and nuclear reactor, etc.

I’ve seen 5 years of this so far in the IT Security sector. 5 years of the same presentation on SCADA vulnerabilities. no auth{n,z}, no encryption, fire, death, end of the world — i’m not sure being that I don’t work in the sector if Control Systems operators are going to watch “This is your life” or they are attending a train wreck, a 50 car pileup, and an airplane crash all at the same time. Either way it sounds like fun.

I’ll admit I had to calm down awhile before I could clearly write something I wanted preserved on my weblog.

My take on what little I see is here.