injecting some reality into scada hysteria

SCADA attacking is big news right now. And this anonymous article over on Rafal Los’ blog, “The War Over SCADA – An Insider’s Perspective on the Hype and Hyperbole,” is a must read to counteract the rightfully called-out hyperbole in the media.

However! This is not a bulletproof rebuttal to recent SCADA fears. (Disclaimer: I’m not a critical systems/infrastructure or SCADA expert or even amatuer. I may even be using the term SCADA overly broad.) (Disclaimer: I’m the first person to say news media has a bias; they often report what they want, and what they want is to get eyeballs, and drama gets eyeballs…)

First, let’s scattershot the good, and there’s far more good in this article than bad. I really like that the author (let’s just say “he” so I don’t have to play the pronoun game) starts out by putting hacking risks into perspective; truly there is more to worry about with natural events, mechanical, and electrical failure. I doubt anyone would argue that. I also like the discussion about compliance and auditing and outliers and differences between various sectors (water vs electric). This is the sort of stuff most pundits aren’t actually researching into and can’t speak to. So I greatly appreciate this insight.

But, like I said, there are some holes. Nothing that kills the discussion, but certainly a difference in perspective.

1. “To date, cybersecurity issues have had no impact on those metrics in North America.” I’ve not been the victim of a home invasion, but that’s not really an argument that should dictate my behavior. I also don’t like the thought that we can just qualify this forever (e.g. …no impact on metrics in states outside of Illinois…). I don’t like that lack of it happening means there’s no risk, or at least the implication of it. I don’t like this as an argument to stand on in this discussion, at least not heavily. The problem is a reasonable person *can* see risk in this, and isn’t privvy to transparency over security controls. I don’t know how you fix that, however. Most of us reasonable people don’t have the time to examine what transparency there is. We just know network-enabled dashboards + internet access = eventual problem.

2. The first commentor added: “…some of the statements could be interpreted as downplaying the central issue: automation systems our society depends are fragile.” The author does actually somewhat address the need for security controls and reviews and touts the grandness of them, but it just needs to be added that further automation means further issues, and they can be widespread. One probably could point to almost any internal IT process gone haywire as an example. Or more visibly, the Wall Street hit that one day when automated trading systems went “weird.” (It’s Thanksgiving Eve, it’s late, I’m not going to look it up.) I just want there to be consideration to automation and the risks that brings. Not to say that’s bad! The whole purpose (the whole fundamental underlying PURPOSE) of IT is automation.

3. “In none of the other industries do we see the same level of hand-wringing over standards and interoperability as we are seeing in the energy industry”. Well, yes and no. First, yes we security pundits do hand-wring. Over everything. But the energy industry can be an easy target because it’s a public work. It’s not like I’m going to get sued if I call them insecure off the cuff. But enough on this point…

(4. Underlined emphasis is mine.) In this paper, NERC and the U.S. Department of Energy identify three event types that they classified as high risk, but low frequency. These three events are pandemic, geomagnetic disturbance and electromagnetic pulses, and coordinated attack. Coordinated attack in this case was defined as “a concerted, well-planned cyber, physical, or blended attack conducted by an active adversary against multiple points on the system.” The report goes on to say that no such attack has ever been experienced in North America. Run that probability through your risk calculator and see what comes out. This kind of event would be an act of war, and no private utility is able to, or could be expected to, defend against an attack funded by a nation-state. The cost of such defenses could easily double the cost of electricity.

First, I don’t think the only cyberattack is one that is coordinated, well-planned. We need to also discuss Johnny at home Google-hacking your web front-end and guessing a password and being stupid, or Anonymous, or some other group in it for the Lulz. I think too many reports these days are missing that joyriding, opportunistic, even automated-malware-gone-wrong threat space. Second, let’s say that Illinois incident actually did originate in Russia. Was that really an act of war? Come on, this is still called classic espionage or even vandalism (I know, it probably bumps up from vandalism into something more felonious in our legal system). Most of the quote above is a bit obtuse and hyperbolic in itself. Third, though, I do like the statement at the end that really drives home some reality: that more controls would equal more cost. Hyperbole? Probably, but probably lots of truth in it.

I think that hits the major points. I will say again, I really, really like this article and it really must be a mandatory read for anyone hand-wringing and punditting over SCADA. I may argue a few discussion points, but the whole thing is still a valid stance. While we need people calling for more security and we need devil’s advocates, we also need doses of reality to mix in. This is the beauty (and balance and art) of “security” in any situation no matter the scope or budget.