> From: Dan Kaminsky <[email protected]>
> This is suspiciously like trying to design a car that can't
> be crashed by it's driver.
Or, it's like saying that software just shouldn't have bugs to begin with.
Software is going to have bugs. Even "analog" systems have bugs. Indeed, most
of what you think of as non-computerized "analog" systems are actually things
like LADDER logic: disconnected from the network, but still digital after a
fashion.
Dangerous SCADA systems (like the power grid) are not lax in design. The
typical design is:
Stage 1: the normal operation of the system, controlled through SCADA
protocols, is designed to overcome the most common types of faults.
Stage 2: a secondary system, usually composed of things like LADDER logic, is
design to override and take control from the SCADA systems, either to prevent
things from getting out of hand, or simply shutting things down before they can
get out of hand.
Stage 3: Things have caught fire, the fire suppression systems tries to prevent
things from exploding.
Stage 4: Thing went boom. Time to clean up.
In theory, you design each stage so that things can never get severe enough to
get to the next stage. In practice, sometimes things go boom. When they go
boom, you have to go back and figure out why the normal controls couldn't
contain it, why the backup systems also failed, and why the fire suppression
system didn't work. In nuclear power plants, they have to document every tiny
little failure. You can actually read them online -- it's a sober account of
how easy it is for the unexpected to happen.
The problem with the power grid is that it's unstable. If you simply told the
computers to "shut off all the power", systems will fail when bringing it back
online. Cascade failures of multiple unexpected events are common. Thus, the
easiest way for a hacker to cause the maximum damage is just go to the master
console and hit the big "off" switch.
Now, my evil plan would be to run an "OPC fuzzer" that would enumerate all the
controllable elements and start setting them to random values. I'm pretty sure
I could make things go boom.
The hole in the SCADA thinking, BTW, is that they plan for "accidental"
failure. They have a lot of experience with accidents, and a lot of robust
models for recovering from accidents. The reason there is a problem dealing
with hackers is that they have no experience dealing with "intentional"
failures.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.