--- On Tue, 11/10/09, Ned Fleming <[email protected]> wrote:
> You're implying the Brazilian utility story may be a
> cover-up and that the motivation to do so was very high. And further, not
> even the participants in this alleged cover-up would be able to deny
> it was one. Interesting.
No. I suppose at some level I am implying that it was possible that it could
have been, but I seriously doubt that it was. What I am saying is that there
are so many ways these systems can fail that it is easy to provide an alternate
public story that most of the people directly involved with the systems would
not be able to discern. Obviously, actual participants of such stories would
be aware.
I can see how this could be read as a spiraling conversation about cover-ups
and conspiracies (I thought it might when I wrote the first comment), but that
was not my intent and I'm not likely to pursue such a pointless back-and-forth.
In the vast majority of cases I am of the opinion that conspiracy theories are
absolute bunkum. However, there are some marginal situations where motivation
and opportunity do lend themselves to obfuscation. In this case, it would not
destroy my world-view if I were to find out that the Brazilian grid operators
turned out to be unable to determine whether their system was hacked and
whether the sub-standard materials were to blame as opposed to someone jacking
with their transmission equipment causing some of the sub-standard materials to
fail - and further that related authorities might be tempted to point to said
sub-standard materials with a "nothing to see here" declaration.
> Not true for electric utilities. They're spending fortunes
> on NERC CIP. Electric utilities understand FERC/NERC are really
> just getting started. The smart grid ("from the toaster to the
> generator") cyber security standards will make NERC CIP look small.
The grid is making forward strides - which I couldn't be happier about - but as
you say NERC CIP will look limited compared to more evolved standards. Major
parts of the grid are getting much more resource than smaller parts, as is only
expected. But the grid consists of an enormous amount of individual players
and the vast majority of those are severely challenged. The scope of the
effort to address issues in the grid alone is out of scale with the resources
available to do so.
Moreover, the grid is only a (very large) small part of deployed control
systems. There are an extremely large number of control systems deployed in an
enormous range of applications throughout the infrastructure, and beyond some
parts of the grid virtually none of them are being addressed at all. These
systems are in both 'trivial' and non-trivial applications.
> >We need to regularize our approach to CIP cybersecurity
> or we aren't going to make any headway at all.
> I disagree.
You disagree that we need to regularize our approach, or that it is necessary
to do so to make headway?
Perhaps I overstated, let me try again:
We need to regularize our approach to CIP cybersecurity or we are extremely
unlikely to make adequate headway in an appropriate amount of time.
Lessons are being learned, those can be repeated and built upon. However,
compared to standard IT networks (which not even I would argue are secured to a
highly satisfactory level), control system security is at best underdeveloped
and underdelivered.
-chris
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
