wobblingmoon at yahoo.com
Wed Apr 8 10:41:57 CDT 2009
Robert Graham wrote:
> I agree that SCADA systems are extremely weak. I curl up in a ball laughing on the floor every time somebody mentions "Smart Grid". Here is a paper I gave a couple years ago at Black Hat. It's nothing surprising, but it's first-hand knowledge (that is, when I say SCADA is weak, it's because I've seen it for my own eyes, not because it heard it was well docum http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
I started a company called Lofty Perch a few years ago and we rapidly wandered into SCADA and CIP (Lofty is still going, but I'm not involved anymore). The challenge of addressing the space is complicated by: the nature of the folks who build and run these systems (steel-toed boots and hardhats, "seven years to go 'til retirement and I'll quit when some computer kid tells me what to do'); the lack of a mandate from the government (or anyone) to address the problem; and the inherent difficulties we (infosec) have as an industry.
The first of these is what it is, and we have to bear that in mind when crafting solutions. This is why the second is virtually an absolute requirement - these folks are much less likely to run off and embrace security than IT (pointed pause......).
The third is something we can do about, but - for all the same reasons that we struggle with IT security - we don't. We need to make it programatically simple for the facility owner/operators to consumer security solutions like they consume epoxy and PLCs, but we keep trying to explain to them how digital signatures are revoked.
More information about the funsec