CNN–DHS Tape Fallout / SANS Hype Machine
I’ve been a bit surprised at the reaction to the excerpt of the DHS tape showing a demonstration of cyber attack on a power plant. The reaction from the press and those not in what I often call the “community” in this blog is an expected combination of shock and wonder at how this is possible. This is a positive development.
Somehow we need to get across to the C-level executives, key people in Government, and leaders in the industry sectors the simple concept that if a workstation or server that controls a process is compromised or owned by an attacker, the physical process itself can be affected - - often with disastrous results. The video excerpt made this point very effectively.
What has me a bit surprised is the amount and vigor of the reaction in the community. There is no news here. We all knew this, which is why we are working hard to prevent cyber attacks on this system.
- - - - - -
What I hate to see, and it is already beginning, is people in community trying to promote solutions related to this video. How is this possible? The video excerpt did not discuss any details. No new class of attack was disclosed. From a control system security protection standpoint this changes nothing.
The first marketing exploit to cross my email was a SANS broadcast email from Alan Paller titled “Yesterday’s CNN and AP news stories about hacking control systems”.
To make sure the knowledge needed gets broad distribution, we are shifting some of the content of the SCADA/Process Control Security Summit to the specifics of exactly how to protect against these attacks, and we will also be holding industry-specific working group meetings for the process control engineers and IT security people who have to cooperate to resolve these problems.
Really. So the SANS Summit was previously not going to cover securing control systems against attacks? And what attacks are “these attacks”?
The SANS Summit along with PCSF, the Weiss event (which also sent a similar email), ISA Expo and others are great events for those new to the topic. Anyone responsible for a control system should attend one of these events.
The SANS email gets under my skin a bit because I always hear Alan and SANS castigate vendors for being commercial and doing marketing, when in fact most are pretty careful to avoid sales pitches at industry events. Somehow SANS thinks they are exempt from this complaint. SANS is one of the most blatant, commercial marketing organizations I come in contact with. Much more than most product or service vendors. SANS is always trying to raise hype to get more attendees and more $$$. Yet somehow it is ok when they do it.
Unfortunately it looks like we are in for years of hearing about this DHS video in presentations and pitches.
Author: Dale Peterson
Posted: October 2nd, 2007 under DHS, SANS.
Comments: 4
Comments
Comment from Ralph Langner
Time: October 2, 2007, 2:47 pm
Congratulations, Dale. The term “marketing exploit” really hits the nail on the head. And, yeah, I share the concern that the DHS video will be the new Vitek Boden case for the next years. It is quite disturbing that so many companies are anxious to present SOME piece of evidence for SCADA threats just to promote their products and services (and get away with it), but on the other hand, it could have been expected. The same old FUD. And then comes the hero, dressed as some kind of IPS, threat terminator, or whatever high-tech device, and the deal is closed. It’s upon us to change the picture by coming up with a more realistic look on threats.
Comment from Jake Brodsky
Time: October 2, 2007, 3:43 pm
Concerning the INL/Aurora demonstration, I’ve said this before, and I’ll repeat it here: The information leaked so far is insufficient to judge what they were doing or how realistic it may have been.
That said, I find that much of the IT security hype that immediately follows such events to be distasteful, shrill, and ignorant. SANS is but one of several organizations that perpetrate this. The only good that comes from such things is that it just might grab a boss’s attention for a few minutes.
And that is the rub. As Joe Weiss pointed out to me, the CxO crowd doesn’t read the trade rags we read; but they do watch CNN. The problem is that we can’t move very far without the CxO leadership buy-in. We have two fronts to consider: One is regulatory, the other is to appeal to the CxO crowd to invest before the storm happens.
However, given the quarter by quarter view from those high corner offices, I’m not optimistic that we can make a case for something that hasn’t happened in a big way yet. Most of these folk are waiting for the crisis to justfiy their actions to their investors or rate payers.
If this sounds a bit sour, I guess it’s because I’ve seen where my managers are going. They will pay lip service, and do the minimum needed to look good. But in the end, unless legislation or regulation forces them to act, I don’t believe they’re going to tighten up their act in any meaningful fashion.
Comment from David
Time: October 3, 2007, 8:15 am
Well, I like it. Any press is good press. Raise awareness, get people involved, pique curiosity, fan the flames, stoke the coals, re-charge the batteries, etc…
Without reaching out to CXO’s there is no funding for this profession (typically its a money saver not a money maker). Even if some of that money gets diverted to the purchase of Bells V.2.31-x and Whistles-4.234 at least they are getting some kind of message about the security of their systems.
Think of this SANS HYPE/CNN as an after school special sponsored by some sugar cereal. Are you happy that your child learns to “not talk to strangers” or are you pissed that they are being enticed to eat high-fructose corn syrup?
The Devils Advocate
PS. I love the term marketing exploit.
Comment from Ralph Langner
Time: October 4, 2007, 3:07 pm
David, I must say that I disagree. I take your devil’s advocate viewpoint and present the case from a different angle. The awareness thing makes sense only if we assume that senior management is kind of stupid, so they just don’t see what REALLY matters for their business (it’s what we tell them it does). So if we hammer it into their heads, using fancy CNN videos and thrilling live hacking presentations (where some kind of little used simulator software is crashed), they finally wake up and save the farm. By the way, we make some bucks in the process, but that’s only fair, is it?
No, it’s not. Look at it this way. As we all know, security at some point boils down to whom you trust. What if all the executives simply don’t trust us? They don’t trust you, they don’t trust Dale, they don’t trust me. They sniffed all the marketing hype and they’re, eh, not amused. They’re assuming that we’re just making something up in order to fuel our business. They don’t buy the story. Marketing exploits (I love that term!) certainly don’t help. I believe it is our obligation to call a marketing stunt what it is. We owe it to ourselves, and to our clients.
Write a comment