The title is a little bit of tongue in cheek. That being said, on the SCADA mailing list this past Saturday the following was posted with regards to a new SCADA security list.
(5) Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY. Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system, SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority).
I was floored that they would endeavour to launch a public mailing list dealing with SCADA security but, threaten you if you disclose security issues. Especially since information that would “qualify” is routinely posted to the SCADA list. Odd. While I understand their motivations I think they missed the boat. Others are far more vocal on this point.
Kevin Poulsen From Wired:
Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure.
What he said.
[tags]SCADA, SCADA Security[/tags]
wow.just.wow.
If there’s *that* big of a risk, then why not move the list to a private-ish (ala securitymetrics) list or social group with membership status dependent on some sort of background check?
@Alex
Yes, it gives one a moments pause doesn’t it?
David,
Just a friendly note and request:
The link you have on your website referencing the Australian SCADA mail list has not been valid for quite a while and as the list owner you are inferring censorship occurs I would appreciate a correction and acknowledgment that you made an error.
Let me be crystal clear. No Form of censorship is in place on this list nor has there ever been.
With all respect please check your facts before posting such erroneous information as I find the inference on the comments being made on one list apply to both lists as being personally and professionally offensive.
No such statements were made on the Australian SCADA Mail List.
The SCADASEC List and The SCADA mail list (or SCADA Gospel) list are not one and the same. I do know the owner of the SCADASEC list and he is a friend and colleague. ISP esecurity laws in the USA are quite different than those of Australia.
One of the key freedoms that the list I host has is that the participants moderate what is acceptable behavior and discussion topics and are open and free to say what they believe.
I have had only one situation where there has been a disagreement over what has been posted but never has the content been deleted or censored. This list has been around for many years and will remain around for as many years as the service is of benefit to the community.
I would appreciate a prompt response and apology.
Ron Southworth List Administrator
Ron.Southworth@scadaperspective.com
http://www.scadaperspective.com.
@Ron
Revisionist history doesn’t merit such a response.
You stated,
I made an error? Are you saying that the email copy was never posted there?
More bran might be in order.
Just because the page is no longer there doesn’t mean that I, or any of our readership who saw it at the time (including Kevin Poulsen from Wired), didn’t read it. You can’t make believe that passage was not there. Your site carried a copy of the email to the Infracritical list.
Oh, and as to checking my facts… Reference: Link
So no Ron, I will not be issuing any apology.
David,
The weakest form of defense is to attempt to deflect a failing by way of an attack, such a shame.
My language was not attacking at all in fact it was quite benign.
The two points in particular you did not respond to at all or correct your errors.
1. That the two mail lists are affiliated in some way.
2. The the SCADA mail list content is censored.
Both of these assumptions are incorrect.
What I take some offense to is that you are implying that the SCADA mail list is censored and it is not. I take particular pride in the fact that the way the list is structured it complies with our laws and provides a medium that is free from censoring apart from list participants deciding what is appropriate behavior and language of course. A reasonable and fair person would simply say well sorry mate I made a mistake.
It is not revisionism when you just simply got it not exactly right is that easier to say Fonzie?
Ron Southworth
Alright.
I’m stepping in before this gets even further out of hand.
Ron:
The two mail lists are affiliated in that they are both about SCADA – they carry many of the same membership, and there is a significant level of cross-posting. Additionally, the SCADASEC-L was initially offered to the members of SCADA-L in a posting by Rad.
As has been discussed *TO DEATH*, Rad’s initial post did contain the whole “reserve the right to censor” and in fact, during the WATER-ISAC kerfuffle, there was (post fact) redaction of posts to Rad’s list (SCADASEC-L).
Dave’s implication above (shared by Paulson) is that the expectation of the public is that there are smart people doing smart things to make sure that SCADA-using industries are SECURE. The postings on SCADA-L and SCADASEC-L offer a significantly contrary view. Part of that contrary view is the advertisement for SCADASEC-L which was carried on SCADA-L (I believe prior to your tenure as list-owner) and which contained the (sane under the abysmal laws of the USA, but) patently insane “talk about anything and we’ll sic the gubermint on ya” disclaimer.
You and I both know that Jake, Rad, you, Marcus, Mark, and Dave and I are the smart people working on making up for the LEGIONS of stupid people in both the vendor and user communities.
I suggest that rather than trying to get a recant from a year old web posting, we get on with the job at hand — undoing 30 plus years of tomfoolery on the part of the legions of stupid.
Answering your two points in specific detail:
1/ The two mailing lists (SCADA-L and SCADASEC-L) are affiliated through common membership and crossposting. They are NOT affiliated by geospatial location, server cohabitation or co-ownership.
2/ The SCADA-L list may or may not be censored. Certainly the SCADASEC-L list is. Often the SCADA-L list SHOULD BE due to the fscking irresponsible postings of several of it’s members.
The three of us have now spent more time on this one blasted post than it would’ve taken to assess and remediate the infrastructure of a small town water system. That my friend is the true waste.