Re: Foul

[Robert Graham <robert_david_graham () yahoo com>]

> From: Dan Kaminsky <dan () doxpara com>
> This is suspiciously like trying to design a car that can't
> be crashed by it's driver.

Or, it's like saying that software just shouldn't have bugs to begin with.

Software is going to have bugs. Even "analog" systems have bugs. Indeed, most of what you think of as non-computerized 
"analog" systems are actually things like LADDER logic: disconnected from the network, but still digital after a 
fashion.

Dangerous SCADA systems (like the power grid) are not lax in design. The typical design is:

Stage 1: the normal operation of the system, controlled through SCADA protocols, is designed to overcome the most 
common types of faults.

Stage 2: a secondary system, usually composed of things like LADDER logic, is design to override and take control from 
the SCADA systems, either to prevent things from getting out of hand, or simply shutting things down before they can 
get out of hand.

Stage 3: Things have caught fire, the fire suppression systems tries to prevent things from exploding.

Stage 4: Thing went boom. Time to clean up.

In theory, you design each stage so that things can never get severe enough to get to the next stage. In practice, 
sometimes things go boom. When they go boom, you have to go back and figure out why the normal controls couldn't 
contain it, why the backup systems also failed, and why the fire suppression system didn't work. In nuclear power 
plants, they have to document every tiny little failure. You can actually read them online -- it's a sober account of 
how easy it is for the unexpected to happen.

The problem with the power grid is that it's unstable. If you simply told the computers to "shut off all the power", 
systems will fail when bringing it back online. Cascade failures of multiple unexpected events are common. Thus, the 
easiest way for a hacker to cause the maximum damage is just go to the master console and hit the big "off" switch.

Now, my evil plan would be to run an "OPC fuzzer" that would enumerate all the controllable elements and start setting 
them to random values. I'm pretty sure I could make things go boom.

The hole in the SCADA thinking, BTW, is that they plan for "accidental" failure. They have a lot of experience with 
accidents, and a lot of robust models for recovering from accidents. The reason there is a problem dealing with hackers 
is that they have no experience dealing with "intentional" failures.



      

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.