Comment from Anonymous
Time: May 29, 2006, 11:49 am

I post one vote for “Alarmist.” I think SANS means well but already they are starting to commercialize their foray into SCADA/DCS/Industrial systems. They are no different from any other player currently focused on this niche, except they carry a little more weight outside the industrial community. I am dissapointed to see them take this approach of “fear.”

Comment from thrashor
Time: May 29, 2006, 3:58 pm

I was just thinking the same thing - what are these two incidents of SCADA security related extortion? Let me know if you find out.

Comment from Anonymous
Time: May 30, 2006, 8:55 am

I also question why a ‘newcomer’ to this area feels the need to have another conference only 6 months after the first. The security calendar is getting out of control, between industry vertical and horizontal meetings, government and vendor sponsored symposia, the list goes on.

Comment from Anonymous
Time: May 30, 2006, 10:19 am

It would be interesting to see or hear where Mr. Paller is getting his threat information from considering it is almost impossible to come by. You make a good point about whether the breach was actually within the control systems environment or not. I guess my concern revolves around the fact that there are actually some non-owner/operator players in this realm that are truly concerned about providing secure sound advice with out following Chicken Little’s modus operandi of the Sky is Falling.

I know that we want the control systems community to perform due diligence in securing their infrastructures, but frankly they are quite tired of the scare tactics.

Releasing this type of information without any details (if any are actually available) may cause more harm than good.

Comment from Anonymous
Time: May 30, 2006, 10:32 am

I’m also concerned about the continuing proliferation of conferences. Security is a big issue at every industry/vendor/government meeting these days, do we need SANS holding (another) one every 6 months?

Comment from Anonymous
Time: May 30, 2006, 1:27 pm

It looks like this is where the information is coming from.

http://hsc.house.gov/files/TestimonyPaller.pdf

Comment from Anonymous
Time: May 30, 2006, 2:26 pm

In reference to the .pdf post: that information is dated and no where in the document does it specifically state that “2 SCADA systems” were penetrated. I recall when Mr. Paller testified and his references to extortion were in reference to current non-SCADA hacker activity. It appears from his latest news bite that he is referencing updated incident information or at least that is what is implied.

Comment from Anonymous
Time: May 31, 2006, 3:05 pm

SANS is a multi-million dollar commercial enterprise that specializes in for-profit conferences and vendor marketing. By creating regular conferences on SCADA security (or any other topic), SANS are doing exactly what the profit motive dictates - collecting money from curious attendees, and collecting even more money from vendors desperate to market to those attendees. Everything else SANS does - including education, training and informational content - is window dressing to the profit motive.

A lot of security professionals labor under the misapprehension that SANS is some sort of non-profit cyber club, and Paller is the honored speaker. This couldn’t be further from the truth. SANS is no different from CMP and all of the other large corporate tradeshow and training vendors making a buck from security. They’ve just done a much better job at marketing themselves.

Comment from Dale Peterson
Time: May 31, 2006, 5:37 pm

I think SANS involvement is a net plus for the community. They bring in a lot of IT Security folks who normally would not get involved with SCADA.

SANS biggest impact could be in SCADA Security training with courses/tracks as part of their regular conferences, and I’d rather see them put their considerable clout behind other industry events rather than creating another ’summit’.

I do agree that there sometimes is a misperception on the purity of SANS, but even non-profits, gov’t agencies, national labs and consulting practices (can you believe it?) are often driven by self interests.

Comment from Eric Byres
Time: June 2, 2006, 4:51 pm

This anouncement by SANS concerns me. Too bad the victims won’t share a bit more info – While I understand the need for the victims to stay completely anonymous, a little detail on the nature of the attack would be useful for the whole industry.

Things like:

What was the attack vector?

Did it come though the IT side of the house or was it directly against the control/SCADA system itself?

How confident were the companies involved that the attackers could carry out their threat?

Was there any insider involvement?

What continent was it on? (attacks like this in North Africa or Russia would not be a big surprise to me, the US would be).

What did the extortionists request (money or something else like not building a nuke plant in their backyard)?

I worry that with little snippets of data like this being released, we could end up with another Cal-ISO or Salt River urban myth, distorting the field so that what really need to be done is ignored.

Comment from CNI operator
Time: June 12, 2006, 12:01 pm

Yes it would be nice to hear more but as an operator of CNI, I wonder how much I’d be willing to share if this happened to me!

Generally I think SANS involvement in our field will be a good thing that will be opposed by those that:
1. have a vested interest (specialist consultants who want to protect their patch)
2. want to keep “IT folks” away from control systems

Both bad reasons (IMHO). I’m rather pleased that SANS are getting involved, it should help move SCADA security into the main stream

Comment from CNI operator
Time: June 12, 2006, 12:02 pm

Yes it would be nice to hear more but as an operator of CNI, I wonder how much I’d be willing to share if this happened to me!

Generally I think SANS involvement in our field will be a good thing. It will be opposed by those that:
1. have a vested interest (consultants who want to protect their patch)
2. want to keep “IT folks” away from control systems

Both bad reasons (IMHO).
I’m rather pleased that SANS are getting involved, it should help move SCADA security into the main stream

Comment from Kevin McGrath
Time: June 15, 2006, 12:37 pm

It looks like this is where the information is coming from.

http://hsc.house.gov/files/TestimonyPaller.pdf
# posted by Anonymous : 1:27 PM

I just read the above but I don’t see any specifics regarding two extortions of SCADA systems.

Without any details that statement is just some more FUD we don’t need

Comment from Anonymous
Time: June 16, 2006, 9:43 am

When all the y2k consultants ran out of work on the 1st Jan 00, they had to find another cash cow. I’m surprised it took them this long, but they sure picked a winner; as long as there are CIO’s and senior government types that don’t know any better, these consultants and empire builders can milk it for all its worth. Its just so bloody over the top. I mean f’chrisake if you have a nuclear reactor or some other bit of critical infrastructure - just don’t connect the bloody control system to the internet - duh !. If you have some other system that’s not so critical, and you really want to have it hooked up to some corporate system that is visible from the gasp horror internet, then put some bloody firewalls in and get a cisco expert to frig em up nice and tight and keep a watch on things. It ain’t rocket science. I work in the electricity sector in Australia. The attorney generals department has a budget of $50Million for funding anti cyber-threats for critical infrastructure. There are endless rounds of meetings, and important looking people looking very serious and discussing these matters of national importance quitely and earnestly (and enjoying the nice hotels and business class airfares all over the country in the meantime). Meanwhile, all the terrorists are probably just working out which 132KV power transformer insulators would be best to shot off with a 303 from a distance to bring down the grid. Jez, they don’t even have to blow them selves up or get a broadband connection to pull it off !

Comment from Julian L. Rrushi
Time: June 20, 2006, 3:47 am

It could be very constructive if the threat information SUNS has will be analyzed. It could contribute in building realistic threat models useful to the industry.

Comment from Anonymous
Time: July 27, 2006, 2:46 pm

Long before my involvement in the controls space, and well before 9/11, we had the staid old discipline and market known as “information security.” Practitioners constantly struggled to get the attention of executive management to attend ‘generally accepted systems security practices/principals. We had IBM RACF as perhaps the commercial benchmark for commercial-setting role based access control, and with the advent of the WWW and browsers the “Internet” blossomed (thanx also to Al Gore, of course That’s about the time ICS2 formed and began the process of certifying CISSPs. Enter SANS. SANS went after the propeller-head niche versus the “infosec management” space already occupied by ISC2. Being a test-certified (not grandfathered) early CISSP (’98), I came to see SANS for what it was - a marketing organization dressed in the garb of technical superiority. If anyone recalls, as I do well, SANS built its credibility through promulgation of its GIAC certifications. It’s good stuff, as are SANS courses and Reading Room reference library. But that wasn’t enough to garner the big bucks, and SANS took the tact of eroding by groundswell word of mouth CISSP-bashing. Instead of acknowledging the leadership of some very serious and legitimately intentioned originators of ISC2, and simply offering a much needed complimentary training ground niche at the tech weenie level, SANS decided to go for all of it by discrediting the CISSP certification. It happened to my face - open ridicule that CISSPs couldn’t be legitimate practitioners if they couldn’t fiddle bits ad nauseum. I’ll readily grant that not all CISSPs are tech wizards, but also as quickly note that this wasn’t really the point. InfoSEC was a totally ignored technical specialty much in need of board room and executive corridor awareness, acknowledgement, and funding, and ISC2 can be credited with making infoSEC a legitimate profession. Has anyone ever seen a GIAC-type sell a business case to the executive ranks and actually get funding to do anything? I imagine it’s happened, but not by anyone of that ilk I ever met. Ever since those days I have always watched SANS with a degree of skepticism, albeit willing to give credit where it’s due. And I still do… Fast forward to the “cyber gold rush” that ensued post 9/11, and one can see that a whole lot of other purveyors of truth-for-cash had seriously tapped into SANS niche. So when I saw Mr. Paller and company attempting to make a big splash with yet another cyber summit, but this time in the control systems space, I had to raise a brow in suspicion. SANS current hot button is development of ’standard security specs for procurement instruments.’ Well, wouldn’t success in putting itself front and center of that initiative make SANS a power broker extraordinaire - you bet it would. Do yourselves a favor and inspect the SANS reading room for really much of anything about process control systems. Not much. I’d imagine SANS would argue that it’s all systems, and therefor all pretty much the same thing. Wrong. IT manipulates bits to manage data. Process control manipulates bits to control physics - in hostile environs. P-eople don’t die, at least usually, in a data center or at there desk subsequent to a hack. Not so in process controls. Note that at present most of the industrial control systems actually in real use operate using technology that even precedes the aforementioned IBM RACF days, never mind pre-Internet. Process control systems are not anywhere near SANS sweet spot, and accordingly I can only deduce that their current foray into this space is nothing more than Mr. Paller’s latest, albeit poorly cammoflaged, marketing brainstorm. Caveat emptor when it comes to SANS, at least near term until it really gains a grasp of what its dealing with in the controls space. This CISSP for one won’t be spending a nickel to aid Mr. Paller’s initaitive, but he will indeed be watching intently SANS-dispensed ‘truth’ in the area of procurement specs - and challenging mush when it’s called for. There is too much laying in the balance in terms of our critical infrastructures.