Comment from Ralph Langner
Time: January 21, 2008, 9:34 am

Good to put this on the boilerplate, Dale. Rather than to help us increasing our security, the published statement does three things:

- It forces us into the role of literatur professors who must try to find some sense in what appears as a strange piece of poetry, just as your blog entry clearly points out. Don’t we have better things to do?

- It may create hysteria in the general public, as you have noticed before. This doesn’t help either. Hysteria is not the same as awareness.

- Decision makers, who are less prone to hysteria in general, will simply ignore the smoke cloud altogether, AND will add to their memory another case of insecurity talk with no substance.

While I hate to bash the CIA, the bottom line is that this blurb does nothing to increase security, but something to discredit the research community. The last thing that we need is a government agency tuning into unsubstantiated threat announcements.

Comment from Philip Huff
Time: January 21, 2008, 9:35 am

I attended the conference, and you have all the information we received. I agree with your assessment in exercising the caution flag before drawing any conclusions.

Comment from Pete Lindstrom
Time: January 21, 2008, 10:56 am

I am curious whether anyone can confirm whether Donahue was actually there or the information was read from a letter.

Thanks.

Pete

Comment from Jake Brodsky
Time: January 21, 2008, 11:00 am

This is the quandry with such information. If you reveal detailed information to the world, you could risk your sources. If you say nothing, what was the point of gathering such information?

Once again, this is why I feel an ISAC is an important tool for this sort of information. Sadly, it doesn’t appear to be what the ISAC are doing.

Bland statements like this are counterproductive. Managers typically ask “So what?” in response to this. It doesn’t articulate a threat. It doesn’t identify resources that need to be hardened. Why bother?

Comment from amino world
Time: January 21, 2008, 12:34 pm

pete, donahue was there and gave the presentation. there was (to me, anyways) not much more content in the presentation, which was not included in the handouts that i got. SANS (paller) treated this as very “inside” information that we can all use to take back to our jobs and gain support for our cybersecurity projects… of course SANS is completely unafraid of hyperbole, so your mileage may vary.

ps i’ll echo jake’s comments for ISAC support — the topic came up several times during the conf.

Comment from Pete Lindstrom
Time: January 21, 2008, 2:54 pm

@amino world -

Thanks for that confirmation.

Comment from cnioperator
Time: January 24, 2008, 7:30 am

In the UK, information is shared between government and critical infrastucture owners via information exchanges http://www.cpni.gov.uk/Products/information.aspx. Specifically, the SCADA and Contol Sytems Info Exchange (SCSIE) share threat and vulnerability data on control systems.
This arrangement works well, not sure why your ISAC’s don’t do the same

Comment from Jake Brodsky
Time: January 24, 2008, 9:25 am

I’m not sure why the ISAC subscriptions are little more than news clipping services either. However, that’s all I see in the e-mails our WaterISAC guys get.

I have seen congressional testimony that the ISAC organizations are all in good shape. Yet, following the Aurora disclosure, we got NOTHING. Note that we have substations too. As a water utility, we have lots of large motors which are theoretically just as subject to the demonstration as any generator.

To be gracious, I think the ISAC managers are still trying to figure things out.

Comment from Ron Southworth
Time: January 24, 2008, 12:21 pm

Hi Gents,

Like all good stories there is an elemet of truth. I would suggest that this is the case with this disclosure and it is the same as last years for those with a good memory just a bit more “inuendo with a touch of cloak and dagger”

Something to remember is - SANS has started their training calander for this year. I see this more as thier annual hype to encourage participation in their courses. They are not bad from all accounts but i don’t know how good they are at controls systems security training.

I will say the same as last year, heart in the right place just not on the best road to travel to arrive at the destination.

Hi CNIOperator. I keep forgetting you are from the UK! It is a shame that you cannot comment in the open but I do understand that many organisations don’t like people commenting on anything full stop.

Jake the UK system is very similar conceptually to the model we have here. I think they have been working together (industry) a bit longer so if anything they are probably a bit more well interconnected! Maybe CNIOperator could confirm if they find they are getting a lot of value out of thier involvement with the SCSIE program. Maybe even a percentage of participation may be some encouraging figures?

From what I have read and researched on the ISAC’s and how they are supposed to operate it does not surprise me that you don’t see much, especially from the water sector.

It is a shame to hear that it is not as effective as it could be, from an end users perspective, especially when you consider the process is a pay for participation service model for some sectors, maybe you can confirm if the water ISAC does charge a fee for services.

At the end of the day these sorts of resources are only as good as the membership allows them to be - how much involvement and participation people put into them.

Let’s face it Jake are you encouraged and rewarded by your organisation to put the amount resources and efforts into security that you do? I think I already can answer that it is, probably the same as what I experience. Still I am not doing this all for them at the end of the day and I am certain you are not either Jake.

I think they have had a fair bit of time Jake. I am of the understanding that the power sector ISAC works quite well, Maybe the problem is one of logistics or resources Jake.