Re: Foul

[Dan Kaminsky <dan () doxpara com>]

On Nov 9, 2009, at 6:44 AM, Jon Kibler <Jon.Kibler () aset com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Peter Evans wrote:
> > On Mon, Nov 09, 2009 at 12:13:23AM -0800, Paul Ferguson wrote:
> > > > http://fergdawg.blogspot.com/2009/11/scada-security-conscience-abuse-of.html
> > > > : Yes, I am pissed.
> >
> >    I don't blame you.
> >
> >    I haven't worked in SCADA since 1991. When it was a package
> >    called Dexterity. That brings back memories I'd rather not have.
> >    I also, for some reason, miss it, because you felt you were  
> > doing REAL
> >    stuff, when you could see how fast the blowers were running, how  
> > much was
> >    in the hoppers and watch values changing (all without having to  
> > wear ear-defenders!)
>
> There are many issues here. However, the general discussion on being  
> able to
> take out an electric utility (or any other control system for that  
> matter)
> through use of the Internet, misses the major point of control  
> systems design:
> All digital control systems should have analog safety systems. It  
> should not be
> possible to create a circumstance where damage can occur through the  
> failure of
> a digital control. Period. If such a failure is possible, do NOT  
> blame it on the
> Internet (or bad software, or terrorists, or cybercriminals, or  
> anything else
> outside of the control itself), because the issue is really that the  
> control
> system itself is poorly designed.
>
> Bottom line: If a digital control (SCADA, DCS, PLC, etc.) can be  
> manipulated to
> cause a system failure, then the control system is badly designed  
> and lacks the
> appropriate safety systems dictated by standard control system  
> design practices.

This is suspiciously like trying to design a car that can't be crashed  
by it's driver. The problem with analog systems is that they're  
necessarily constrained as to the error conditions they can detect or  
correct, and you're positing a digital attacker who can and will  
generate any worst case scenario conditions.

I have a general rule, never mistake what you want with what you have.  
I'm not convinced 'immunity to damage from primary control system' is  
an achievable goal, no matter how much we want it.

> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler () aset com
> e: Jon.R.Kibler () gmail com
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr4AJcACgkQUVxQRc85QlPAiACgmQ2Am+dnKG43+LDhIfSMntd5
> v6AAnje6YRIxiSr5HKI2M8O+8CFH5QkO
> =oeQF
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.