Still attending S4 – and the quality of the speakers continues it’s lumpy lurching way towards the goal.
Currently watching Langner discuss Threat Modeling in SCADA — except he’s gone right off the bleepin rails.
I mean WAY OFF THE RAILS. Offensively off the rails.
How do you create a presentation which goes all Giuliani off the top and invokes 911 – continues with the Islamist threat – launches into a discussion of fatwa and right off into fantasy land.
I feel bad for Dale – this is double-plus-ungood.
Langner should not be listened to – he should not be given a stage – he’s propagating the same kinds of myths that pervade the “control systems engineers” world – that SCADA is too hard, that hackers aren’t interested, that the bad guys are on religious missions of hatred, that the war on moisture is ok.
He closed with a eulogy for Richard C. Rescorla of Dean Witter / Morgan Stanley who predicted the plane attacks on 911.
Sigh. I don’t want to forget what happened on that day in New York, but I refuse to live a life of fear. More people need to jump off the fear bandwagon.
The previous piece – on the plans for the mandatory PCTs for California by Grant Gilchrist of EnerNex – was quite good. I think that he may be in a position to do good things – especially by having some people look at implementation level issues.
[tags]S4, SCADA, Langner, EnerNex, PCTs, bad advice, sycophant[/tags]
Hi,
I’ve enjoyed reading your comments, good and bad, about the S4 event. I guess it is payback for me when I do it at events.
I would be curious to get your final opinion, for all to see good or bad, on the Virtual Attendee experience. Obviously the problems at the first keynote started it off poorly, but now that you have done it for two days, should we offer it next year? Should others that can’t travel consider it or save their money? Would you like to see it for other, non-Digital Bond events?
Dale Peterson
Myrcurial,
I don’t remember you giving any input in the QA session… probably that could have already adjusted one or the other misconception. I made it clear at the beginning of the presentation that I (and my co-author Bryan Singer) don’t see the major threat to SCADA installations in form of intentional, malicious attacks. However since the majority of papers suggests so, let’s go investigate. Actually I claim to have uncovered more myths than you think I am propagating. Unfortunately you are not getting quite specific which myths you are talking about. For example, I did not say SCADA is too hard (for whom?), I stated that it is ridiculous to see that most IT folks who claim to be able to “hack” into SCADA systems end up with no clue what to do next. The idea of a top notch hacker exploiting a bug in a SCADA application is laughable. Adversaries who want to attack the system simply take advantage of the holes that the vendor has already built in and go straight to manipulating the process.
If you didn’t like the discussion of Islamism in context of cyber terrorism, that’s one thing. The other thing is that over the years, the community, and even the GAO and Congress, have been satisfied with a mention of the Boden case as evidence enough for a cyber terrorist threat. Unfortunately you haven’t been specific about where I was telling fantasy.
It may well be my fault to some extent, but interpreting the presentation’s goal as to raise fear in the audience is completely absurd. About half of the presentation consisted in laying the methodological grounds for a threat modeling framework for SCADA attacks. The remaining half was about highlighting some sample scenarios, where the emphasis was on technical strategies that a competent attacker would use. The whole point about Rescorla is to remind folks that even extremely unlikely risks can be elaborated if somebody just sets out to do the intelligence.
Ok, Myrcurial, so you didn’t like my presentation, and I am sorry for that. However for any substantial criticism it would be beneficial to stick to what the presenter had actually said. Calling somebody a sycophant is one thing, backing it up with fact and argument is another.
Ralph,
I did in fact give input / ask a question. However, one of the joys of me being anonymous is that I know who I am and you don’t. I’m sorry it has to be that way, but trust me, it does.
I have seen with my own eyes the results of direct malicious attacks (from insiders who should know better) on SCADA infrastructure, and direct malicious attacks from external parties to the “Layer Zero / Layer One” of SCADA infrastructures (ie: not through the application, or even through the network, but rather affecting the physical wires involved).
You did make the suggestion that an individual with an IT background would not be able to do anything useful in terms of ‘hacking’ a SCADA system – and I completely disagree with this statement. I have personally ‘hacked’ into a SCADA system and both disrupted normal operation and caused abnormal operation outside of the system norm — in the first case, through deliberate abuse of the data stream inbound from field devices, and in the second case through deliberate abuse of what the operator thought was happening.
In terms of your threat model, a ‘top notch hacker’ is not the problem you should be approaching – after all, I can simply get myself hired as a low level employee and work my magic from the inside – you should be approaching the “not good enough to be elegant, but good enough to screw up your day”.
With regard to your discussion of the Islamist threat, that’d be where you simultaneously went sycophantic and jingoistic. Spend some time outside of the United States. Watch some TV that isn’t Faux News. The cyberterrorism threat to the USA is quite well known, and it isn’t people in a desert assembling stolen C4 and cell phones into roadside bombs, it’s the people who are holding most of that stunning 9 TRILLION dollar debt. Follow the money – figure out who has the most to gain – and you’ll find your threat.
My point, which I stand by, is that you have a very narrow view of the issue, and you could gain some significant and useful viewpoints by spending some time outside of the little tiny corner of the world that you find so important.
Your point, as interpreted by this seasoned security professional, was completely lost to an objective audience through your over-use of the islamist threat (rather than a generalized faith-centric threat such as, oh, I don’t know – the Christianist threat of the extreme Right wing american), your invocation of 9/11 almost as often as Rudy Giuliani, and your general refusal to even begin to understand what the capabilities of your “top notch hacker” might really be… or the desire to do any of those things.
We are getting the survey results in from S4 and one of the most interesting data points is Ralph’s talk has received about the same number of top three papers and least favorite three paper votes. So it certainly prompted a reaction.
One quick note – Ralph lives and works in Germany, not the US.
Myrcurial, I always appreciate some constructive criticism, so let’s go get this straight. I understand your main arguments are first, I paint a wrong picture of the hacker threat, second, I overblow a cyber terrorist threat from Islamists. Let’s briefly re-examine these topics.
The subject of my presentation is attacks on process control. So we’re excluding hacker attacks as in the Pennsylvania wastewater hack where the attacker didn’t even know he ended up on a SCADA server. Now here’s the point on top notch hackers. If you are spending nights with your canvas (or whatever) debugger to find some buffer overflow in a SCADA app that you plan to use as an entry point, you are making a complete fool out of yourself. First, the SCADA app is your easiest way to manipulate the process, so crashing it would be a dumb thing to do. Second, all popular SCADA products have open backdoors by design, and many in the S4 audience know about these. An attacker that doesn’t use such a door appears like a burglar who is picking a complex door lock while the entry through the garage is open. Not a cool thing to do. Disrupting process control, what you boast to have achieved, is a trivial task, and only the most naïve person would believe there is any “magic†in it. There are very few things in the SCADA world that would present a real challenge to experienced hackers, such as writing self-replicating code for popular PLC models, but it looks like the hacker folks haven’t found out about that or simply weren’t up to the task. Different from what you suggest in your rant, I didn’t place any emphasis on hackers, be they experienced or not. But perhaps exactly that is your problem.
Now let’s turn to my discussion of Islamist cyber terrorism. I have no account on how often the former mayor of NYC, with whom you seem to have some personal vendetta going on, referred to 9/11, but I believe it must have been more than the three or four times that I mentioned the subject. From the 26 slides of the presentation, THREE are about Islamist cyber terrorism. You will no doubt remember that I also did discuss a non-islamist, domestic cyber terrorist risk, that hasn’t been discussed anywhere else. Nowhere in my presentation or paper did I suggest that a threat by Islamist attackers would be something that one should fear, or that it would be the most serious threat to SCADA installations. So do me a favour and explain how this can in any way be regarded as sycophantic, or issue an apology. As for insulting me as jingoistic: I spent my whole life outside the United States, and I don’t even have a TV at home. Besides that, your implication that my US co-author, who might watch what you believe is “faux news†(CNN, for example?) is so much behind the information resources that you have available in Canada, is completely obnoxious.
What you came up with so far was nothing but insults and preoccupation. Your account of the presentation covers round about ten of the 45 minutes. For those ten minutes that caught your attention, you give a bizarre misinterpretation of what was said. Come on, Myrcurial – a distinguished hacker like you must have more to offer than a 100% irrational, disorganized rant. I’m sure you can do better!
@Myrcurial, Ralph
Gents, while I have been enjoying your exchange I feel it necessary to step in at this point. I would ask that you manage to keep all of your shots above the belt.
Now, return to your respective corners and let’s have a clean fight lads.
cheers,
Dave
@Ralph,
I’m sorry that you feel the comments I made were some sort of personal attack.
You managed to touch on two of my most significant “hot buttons” in the short span of about 20 minutes and my emotional response to those issues governed my writing here.
Thank you for the opportunity to respond and I will attempt to be more objective when I read your paper and should I encounter your speaking again.
Myrcurial
Myrcurial,
I really am a fan of heated debate and always willing to listen to people who argue that I tell crap. Sometimes I even tend to believe they are right. (Well, this is usually several months later.) The puzzling thing about your review of my presentation is the focus on remote topics that account for only several minutes, and that those several minutes where largely misinterpreted.
The rationale for my and Bryan’s paper is as follows.
Fact 1: Many, if not most people argue that intentional malicious attacks are the number one threat to SCADA security.
Fact 2: There is no hard evidence to prove this.
Fact 3: No researcher or practitioner even bothered to tell us who would/could attack, why, and how.
Therefore, Bryan and I set out to explore the subject – even though both of us don’t believe that intentional attacks are the main SCADA security threat.
The main issue of the paper is to construct a framework that can be used to model SCADA attack scenarios. I think that we did some pretty good work here, but still willing to debate that we missed some important point, did not put the right emphasis on this or that, or even that the whole framework is useless. In any case, this is what the paper and presentation are about, and this is what you can nail me for. To show the benefits of the framework, it is then applied to produce some sample scenarios. The paper includes ten sample attack scenarios for various kinds of attack clusters, namely sabotage, espionage, and cyber terrorism. In the presentation, I did not discuss all sample scenarios due to time limitations. There are certainly other scenarios that one can think of (or that did materialize), but we wanted to provide illustrative samples to highlight how the framework is applied and how it can reveal novel attack strategies that have slipped the attention of many security professionals – for example:
– using custom malware instead of online Internet access
– attacking through a contractor rather than hitting the target facility directly
– using a “dumb†physical attack rather than software in the insider scenario
Well, probably we are wrong at these and other points, but so far we have a pretty good feeling, and we would certainly appreciate if this starts a discussion on attack strategies that can help security professionals to administer dedicated defense strategies.