Some time ago I was a pen-tester for a govt contractor. After a few months into my then new career I found myself constantly terrified of the state of affairs of our infrastructure. That was 13 years ago, I honestly hope that things have improved. I tell myself that they have just to not hole myself up in a bunker with an AR15, iodine tablets, and Hunter S. Thompson's (ex) personal stash of dinty moore beef stew.
I read the abstract for this paper in the very recent past and I was not at all surprised, it seems to be indicative of everything that is wrong with the information systems that run our critical infrastructure. It terrifies me that what protects us is not good security, but the lack of skill, imagination, and impetus of our adversaries. I have been doing some single sign on related "work" at a big financial institution in the middle east, as a result I have been finding all kinds of really silly bugs in pretty important software (again, not naming names), and I am not that smart of a guy. There's simply no way to get away from the feeling that despite all of the hard work applied to security, the core software systems that actually handle critical data are still either totally insecure or far too easy to misconfigure in an insecure manner. Marcus Ranum was right, there is simply no patch for stupidity. jcw On Wed, Jul 2, 2008 at 6:49 PM, Jason Gurtz <[EMAIL PROTECTED]> wrote: > On 7/2/2008 09:34, ron minnich wrote: >> our power grid in the US is, well, interesting: >> http://www.ncsa.uiuc.edu/People/hkhurana/IFIP_CIP_08.pdf > > Additional interest might be found in CIP-001-1 thru CIP-009-1 found at > <http://www.nerc.com/~filez/standards/Reliability_Standards_Regulatory_Approved.html> > > It would be great if Plan 9 was running on some of these embedded > devices or in the control room in a monitoring and control role but it > seems like VxWorks/Windows/Linux is too popular. > > I will tell you this: There is money to be made in this SCADA sector > and since it's all still semi-proprietary, people are used to forklift > upgrades and don't care as much about preserving the platform. Utility > related GIS systems are another fertile ground. > > I wince when I see the invoices. > > ~JasonG > > -- > >
