Robert Graham wrote:
> I agree that SCADA systems are extremely weak. I curl up in a ball laughing
> on the floor every time somebody mentions "Smart Grid". Here is a paper I
> gave a couple years ago at Black Hat. It's nothing surprising, but it's
> first-hand knowledge (that is, when I say SCADA is weak, it's because I've
> seen it for my own eyes, not because it heard it was well docum
> http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
I started a company called Lofty Perch a few years ago and we rapidly wandered
into SCADA and CIP (Lofty is still going, but I'm not involved anymore). The
challenge of addressing the space is complicated by: the nature of the folks
who build and run these systems (steel-toed boots and hardhats, "seven years to
go 'til retirement and I'll quit when some computer kid tells me what to do');
the lack of a mandate from the government (or anyone) to address the problem;
and the inherent difficulties we (infosec) have as an industry.
The first of these is what it is, and we have to bear that in mind when
crafting solutions. This is why the second is virtually an absolute
requirement - these folks are much less likely to run off and embrace security
than IT (pointed pause......).
The third is something we can do something about, but - for all the same
reasons that we struggle with IT security - we don't. We need to make it
programatically simple for the facility owner/operators to consumer security
solutions like they consume epoxy and PLCs, but we keep trying to explain to
them how digital signatures are revoked.
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
