> From: Dan Kaminsky <[email protected]>
> This is suspiciously like trying to design a car that can't
> be crashed by it's driver.

Or, it's like saying that software just shouldn't have bugs to begin with.

Software is going to have bugs. Even "analog" systems have bugs. Indeed, most 
of what you think of as non-computerized "analog" systems are actually things 
like LADDER logic: disconnected from the network, but still digital after a 
fashion.

Dangerous SCADA systems (like the power grid) are not lax in design. The 
typical design is:

Stage 1: the normal operation of the system, controlled through SCADA 
protocols, is designed to overcome the most common types of faults.

Stage 2: a secondary system, usually composed of things like LADDER logic, is 
design to override and take control from the SCADA systems, either to prevent 
things from getting out of hand, or simply shutting things down before they can 
get out of hand.

Stage 3: Things have caught fire, the fire suppression systems tries to prevent 
things from exploding.

Stage 4: Thing went boom. Time to clean up.

In theory, you design each stage so that things can never get severe enough to 
get to the next stage. In practice, sometimes things go boom. When they go 
boom, you have to go back and figure out why the normal controls couldn't 
contain it, why the backup systems also failed, and why the fire suppression 
system didn't work. In nuclear power plants, they have to document every tiny 
little failure. You can actually read them online -- it's a sober account of 
how easy it is for the unexpected to happen.

The problem with the power grid is that it's unstable. If you simply told the 
computers to "shut off all the power", systems will fail when bringing it back 
online. Cascade failures of multiple unexpected events are common. Thus, the 
easiest way for a hacker to cause the maximum damage is just go to the master 
console and hit the big "off" switch.

Now, my evil plan would be to run an "OPC fuzzer" that would enumerate all the 
controllable elements and start setting them to random values. I'm pretty sure 
I could make things go boom.

The hole in the SCADA thinking, BTW, is that they plan for "accidental" 
failure. They have a lot of experience with accidents, and a lot of robust 
models for recovering from accidents. The reason there is a problem dealing 
with hackers is that they have no experience dealing with "intentional" 
failures.



      

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Reply via email to