I don’t even know where to begin.
I feel like I’m being tortured by AM the media machine.
Lets run down the list…
First, Siobhan Gorman… you {{REDACTED}} tool.
The WSJ article you wrote is such an incredible fluff piece, my high-school newspaper editor wouldn’t have permitted it.
You have all kinds of awesome quotes, except for the ones that you actually need to be attributable in order for you to call yourself a journalist. How does trolling the clip files that Rebecca Smith found for you and calling a few embassies make your article ground breaking in any way.
Do you have NEW, SPECIFIC evidence? If you do, please forward it to the appropriate authorities or PUBLISH IT. You’ve got some speculation and it’s shit.
Next up, Dennis Fisher over at Threatpost with his “industry analyst” piece…
What the hell is your point exactly? It’s not like Kaspersky has anything to contribute here. You’re drumming up more crap without providing either details or passing your evidence to the people who need to see it.
Of course, once you’ve got one anti-virus vendor in the mix, here comes another… McAfee’s “Security Insights” blog entryby Phyllis Schneck is all about how one time, at security camp, she heard a story about a nuculer reactor being shut down by a contractor’s laptop.
And why stop at shilling your company’s failed products (why is anti-virus different from anti-spyware and sold under 200 different SKUs?) Why not start shilling your people! Watch as the University of Pittsburgh puts a plaintive call out to say “Hey, um, we got a guy!”
Gregory Reed, a professor of electrical and computer engineering in Pitt’s Swanson School of Engineering and director of the school’s Power and Energy Initiative, is available to comment on the significance of the reported espionage as an indicator of the electric power grid’s potential vulnerability.
In the fine tradition of “Will what you’re eating now KILL YOU???? We’ll tell you at Eleven!!!” television artists news journalists at ABC News would like you to know that your phone is not powered by the local utility. (It gets it’s power from the seething rage of Nortel Shareholders.)
To the retired engineer who wrote this screed on a ZD Net blog entry about the WSJ story… including this gem:
EVERY SCADA system that I have ever seen use it’s own dedicated communication network to carry data between the Master Station (the “base”), and the substation Remote Terminal Units (RTU’s) and with the powerplants.
Good lord man, SHUT THE FUCK UP. You are the reason that the system is the mess that it is – you think that’s even remotely true? I’VE NEVER SEEN A SCADA SYSTEM IN THE POWER INDUSTRY THAT WASN’T INTERNET CONNECTED. EVER.
NERC attempted to do damage control and managed to put their foot into the good work being done by their own CSO!
Cyber security is an area of concern for the electric grid. Though we are not aware of any reports of cyber attacks that have directly impacted reliability of the power system in North America to date, it is an issue the industry is working to stay ahead of. NERC and industry leaders are taking steps in the right direction to improve preparedness and response to potential cyber threats. There is definitely more to be done, and we look forward to continuing our work with the electric industry and our partners in U.S. and Canadian government to improve reliability standards, ensure appropriate emergency authority is in place to address imminent and specific cyber security threats, and ultimately ensure a safe, secure, and reliable energy future for North America.
That statement comes only one day after Michael Assante put out his ballsy “You’re not doing an ethical job of adhering to the spirit of the regulations” letter. How disingenuous is it to stab your own guy right in the back?
Those dim-witted dinosaurs at the AP of course, go to great lengths to put in actual quotes from their un-named source.
“The vulnerability may be bigger than we think,” the official said, adding that the level of sophistication necessary to pull off such intrusions is so high that it is “almost without a doubt” done by state sponsors.
(Please note that our team did a pen-test in 2001 and achieved access, without any more state-sponsoring than the engagement letter.)
Things do SLOWLY get better…
Forbes attempts to pull a “fair and balanced” piece out of the wreckage of “journalism” expressed so far.
The usually bright and adroit folks at the BBC even picked up the story… shame on you, you should know better. At least you quote @dakami thus gaining back some credibility, who really does grok the issues since our face off at DEFCON last summer (forever to be known as the “Killer Oreos” discussion).
Eventually, sanity returns and several organizations manage to put an extinguisher to all of the flaming hair…
- Infrastructurist interviews Stephen Flynn.
Federal Computer Week thinks FERC should get on the job.- bNet tries to calm you with soothing quotes.
- Kevin Poulsen over at Wired manages to not piss me off and tells you to follow the money – the NSA wants to pwn the grid.
I’m just absolutely beside myself.
Here’s some facts:
- The grid is not secure now.
- The grid cannot be made secure by using existing technology and (most importantly) staff.
- The asset owners are working actively to avoid doing anything.
- The government doesn’t know where to start – in the US or elsewhere – as they are busy with other things and too pwn’d by special interest groups.
- There is no CIP firewall.
- Your product does not (in and of itself) make anything NERC compliant.
- There are ways to solve the problems of the existing systems, but you’re going to have to think out-of-the-box… way out.
- There are always bad people.
- It is not currently in any nation-state’s interest to de-stabilize the US. (I’m leaving out crazy dictatorships on purpose.)
- It is simply a matter of following the money.
- The Senate, the NSA, DHS, and others are invested in this.
- I’m frustrated and I wish that the WSJ had handled this story with a lot more intelligence.
- I need to lie down now.
Thankfully there are a few sources of humour in all of this…
(picture CC from waltjabsco’s flickr stream)
[tags]SCADA, WSJ, cyberterror, BULLSHIT, DUMBASSES[/tags]
It is interesting that while the AP implodes on itself trying to salvage their news business, real information is filtered out of the entertainment we currently call news by the very bloggers and social systems that the AP feels threatens their business model.
Oh the irony, but we have to accept that modern news media is all about ratings, and nothing about providing information and facts. Fact checking really messes with the entertainment value of the ‘news’ the regular media is so busy trying to feed us, which would be fine if they could include a disclaimer or just start calling it what it is, entertainment.
You call this a rant, but its the most honest piece of news I have heard on this subject, thanks for calling it out.
James Arlen, you just won yourself 2 beers at Defcon.
Oh, how I do so enjoy it when Mount Arlen erupts. The thing is, he’s right. The media has failed on this subject in epic fashion.
Thanks – I’m getting good twitter feedback too.
Agreed. James, I’m buying the first round if and when we meet some day.
I noticed the lack of hard facts too. I think Kevin Poulson may be pretty close to the mark on this one. I suspect that certain intelligence agencies are seeing scary things. A quiet anonymous “leak” to a reporter from a prestigious publication might cause enough of a flurry to give them an audience in front of a few congress critters. They can then ask for more funding.
However, I don’t see any nefarious deeds here. I see typical inside-the-beltway politicking. And the media droids bought it all, hook, line, and sinker.
Sigh.
Dude, you’re my hero.