[UPDATE]: Welcome Heise.de folks. Please be sure to read the article.
On Sunday Saturday I managed to take in the SCADA presentation. It was an hour of my life that I would most assuredly like to have back. Ganesh Devarajan from Tipping Point gave a talk on the subject. Within the first five minutes it became readily apparent that he has never actually worked on a SCADA system. He went on to describe the basics of the various protocols that are used with SCADA systems such as DNP3 and ICCP but, he then showed his blind side to the audience.
“SCADA systems are extremely vulnerable to attack” he said. OK, but, you have to get to them first. He left the audience with the distinct impression that any script kiddie with 5 minutes to spare could take out the water treatment or traffic lights. This is a rather significant overstatement. But, I guess he wanted his five minutes in the press. Sadly the AP fell into this trap:
Terrorists and other criminals could exploit a newly discovered software flaw to hijack massive computer systems used to control critical infrastructure like oil refineries, power plants and factories, a researcher said Saturday.
Ganesh Devarajan, a security researcher with 3Com Corp.’s TippingPoint in Austin, Texas, demonstrated the software vulnerability he uncovered to attendees at the Defcon hacker conference on computer security.
Um, no he didn’t. He didn’t bring fire to the village. He just outlined some common problems that exist in any network.
At no point did he show a smoking gun. Sure there are vulnerabilities in these systems (as with any) but, Ganesh did not show anyone anything new nor did he arrive with research. Myrcurial on the other hand got the crowd going when he mentioned that he had a couple of SCADA vulns in the can. And he does. But, no they are not going to be released to the public. We have decided that we are going to work on a SCADA presentation for next year with some meat on its bones. As an aside I recommend folks interested in this subject check out SCADA Security.org
The only thing that Ganesh managed to accomplish is to get folks talking about SCADA security in the mainstream press. Bless him for that.
[tags]SCADA at Defcon, Defcon SCADA, SCADA Security, Defcon[/tags]
Dave – thanks for the in-person report.
I have checked out the http://www.scadasecurity.org site you recommended and was unable to determine who are leading this project. I couldn’t find any individual names or organization names which is quite odd.
Do you know who is behind this worthy effort?
Dale
Hi Dale,
Yes, I do in fact. This is a fledgling effort by a few folks. I can send you more info.
cheers,
Dave
Dave – please do. Send it to my email in this form (not published).
Actually my suggestion is to encourage them to include this information on their site. I have been hesitant to mention this apparently worthy effort in my blog because I don’t know who is behind it and what their agenda may be.
Dale
I was at DefCon, and I do not believe there was a SCADA presentation on Sunday. Are you referring to the one on Saturday? If so, your time certainly would have been better spent at Dan Kaminsky’s Black Ops 2007 (which was in the room that the SCADA talk was supposed to be in.)
Thanks Mark. I have made the correction. It is admittedly a bit of a blur at this point but, yes. The Kaminsky presentation would have been a much better choice.
Not sure what they were thinking putting Dan in the track 5 room initially.