Ah yes, the “Us vs Them” perennial smack down. This ranks right up there with Mac vs Windows. It’s a nothing argument. As an example I prefer Mac. There are others who swear on a stack that Windows XP is (insert deity)’s gift to the masses. There is nothing to be gained in argument such as this.
Now, the reason I touch on the “Us vs Them” is that there is a growing dust up between the IT security wonks and the SCADA wonks. The basis for this? Simple. Whose is longer. It’s silly. There is a comment thread that brings this into sharp detail over on ControlGlobal.com. Dale Peterson weighs in on the side of IT Security
Where we differ is I don’t see a lot of pretenders coming from the IT side out there spreading FUD, and would rather encourage the people trying to cross over and help in control systems rather than say you don’t get it. Stay out. We need their skills.
I have some old school SCADA folks who have been dismissive towards this scribbler. Well, I have my C.V.
Walt Boyes responds to Dale,
There are lots of people crossing over from IT security into plant cybersecurity– and I’ve attended enough conferences and spent enough time talking to them and I can flatly tell you that most of them not only do not understand plant security BUT THEY ALSO DO NOT WANT TO LEARN.
Now, I would disagree on this point but, rather than weigh in I would direct folks to check out this interesting thread.
[tags]SCADA, SCADA Security, Us vs Them[/tags]
Here’s the comment I left on the story — in case it doesn’t show up.
=======
I think that the issue posed in the original discussion above is only semi-valid.
To be different, I’ll use letters:
A/ The fact that the Wonderware issue was on an old version that is destined for end-of-life status is *exactly* the point. Process control hardware and software “total systems in use” is going to be asymptotic. There will always be a slowly declining number of systems in use – regardless of the manufacturer’s position on this. I recently encountered a process control system in use at a rural water management site that was running CP/M, using 8″ floppies, and contained within a particle board desk. These systems aren’t replaced until necessary, and in the case of older systems, necessary may be a very long time indeed.
B/ Both sides of the argument have significant issues with hubris. As I’m originally from the IT side, I’ll take that one directly on the chin – when I started in SCADA security, I had a (metric) butt-load to learn. I’ve done my best to ask the dumb questions, to agree to being made fun of, to set myself up as less the expert and more the student. I think I’m in the minority relative to some of the others scrambling for a chance to bite off some of the budgets being released for saving the planet (this time). Dale is also one who has put in the time. On the other side, I was informed (by a 35 year veteran of power systems design) that I should stick to my knitting as he’s been a professional in the field longer than I’ve been alive. Gee, thanks Mister! By the way, your web-enablement of your power system is susceptible to more than half of the OWASP security flaws in web interface security. If he’d have stepped off of his high horse, we might’ve learned something from each other. Joe took the time to listen to me when I was describing a technical issue to him, considered what I had to say and took the advisement, rather than dismissing me out of hand because his hair is grayer than mine.
C/ Of course people (media, governments) are going to misunderstand poor articulations of risk relative to control systems. The last 40-60 years of the “dumbing of the sheeple” has destroyed the general public’s understanding of some basic science facts. If you connect real physical systems to logical controls, you *must* enable the logical controls with the same security that you would normally afford the physical systems. For a period of time, the administrative login to a large-area load shedding system was available on the internet to anyone who could figure out that a good password is not the word “password”. By itself, this simply meant that you could forward a signal to all loads to shutdown (about 20 typed characters and about 10 clicks). By itself, this is just a configuration mistake and not really a big deal. Except that the load shed ability would be sufficient to destabilize the Erie Loop. How long do you think that took me to get the password changed? Would you be surprised if I said 2 months? I didn’t release that one (in fact, this is the first time I’ve noted it publicly) and I know that the media would’ve had a bloody dance with it. Is it my duty as the “IT guy” side of SCADA security to keep prodding that vendor? Would you be surprised if I told you that there are at least two other ways to gain administrative control over those loads?
D/ I’d love for it to be a requirement for all security teams to be comprised of *both* an IT expert (someone who understands the context of logical systems security in the wider “connected” world) and a Process Control expert (someone who understands what happens when you introduce an additional 200ms of latency on a safety system). Together, they’re a powerful team. Alone… well, you can see where we are now based on the discourse above.
E/ Both sides are responsible for education – Walt’s got this one right, Process Control for a cookie factory is different from Process Control for a coal plant. The outcomes of the exposure of the risks are in different worlds. Do presentations such as the INL “Look – it blewed up!” movie help or hinder? I’d suggest hinder — it’s all about waving your arms in the air and screaming about the end of the world. Do presentations such as Joe’s “The first rule of ‘Bad Things Happen Club’ is we don’t talk about ‘Bad Things Happen Club'” help or hinder? I’d suggest help — practical demonstrations for an audience who can make the necessary changes. Is there something in-between? Probably – I’d ask you to look at the coverage of the Estonian bot-net attack in the most recent PBS “Wired Science” — and what the impact of a same-scale event would be on North America — it’s not good people, not good at all.
The question that I’ll close with is the same question I always close with — how can the various affected industries support pragmatic and rational change while simultaneously supporting those of us who are altruists as well as those of us who can’t afford to “lose face”?
Of all the credible people I know in Process Control/Plant Systems/SCADA security, I cannot think of any who are in it for fame and fortune. Joe’s not wearing a Rolex, Dale’s only tanned because he lives in Florida. Of those who lack the basic credentials (have actually worked in the right kind of environment and are not simply skills-transferral consultants), I cannot think of any who are willing to work the kind of hours and shed as much emotion as the other group.
(By way of my own credentials, while I use a pseudonym, I know both Dale and Joe and I used to work in the power industry.)
Is it bad when the comment is longer than the story?
@myrcurial
Sweet mother…now that is a comment.
🙂