Hard hat vs Black hat - the hype versus reality

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

Black Hat caters to the hackers and security researchers primarily from the IT community as well as the press. It does not cater to the control systems engineers who maintain and operate these systems. Many of the more sensational presentations do not represent what is actually used, or how they are actually used, in control system environments. The wireless oil industry hacking presentation was an example of hacking a protocol that is generally not used by the oil industry. The protocol that was hacked, Zigbee, has known vulnerabilities and is used in home area networks for smart grid, not large industrial applications like pipelines or power plants.

Kyle Wilhoit's presentation on ICS honeypots was terrific and demonstrates a point that is too often overlooked. A small end-user can be a target because they are small. Several years ago, the "Illinois water hack" was pooh-poohed because many questioned who would want to target a small water utility in central Illinois. Kyle's presentation demonstrated there are many "nation-states" and others actively trying to hack a small water utility in Missouri. This is important because a small water utility has the same control systems as a large power plant or refinery. Moreover, a small electric utility is also connected to their larger neighbors making them a back door into the larger utilities.

It is not difficult to demonstrate the sky could be falling. It is more important to know if the demonstrations have relevance to critical infrastructure applications.

Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Spot on!</p>


  • <p>I would agree wholeheartedly with this blog article. The black/white/grey/red/yellow hats are looking for something to make them famous. It has nothing to do with "doing the right thing" by protecting our infrastructures (and BTW, this isn't just for the U.S. alone, but...EVERYWHERE throughout the World). If dot-hats (use your favorite color from the 2nd sentence) were truly wanting to protecting critical infrastructure cyber assets, they would contact their federal/national governments and coordinate with them. The fact that conferences such as DEFCON, Black Hat, et. al show this, is because it is something new for the hackers to pry upon. Remember: hackers *LOVE* challenges, even the ones who *want* to extort, destroy, damage, pillage, etc.</p>


  • http://bitcoin-advertising.com/email.htm Victims Email Account will be bombed with over 4,000 Emails in the first hour.Registewhite at 100,000 different online newsletters and forums over the first month.THIS IS A LINK LISTING BOMB IT IS IMPOSSIBLE TO STOP UNLIKE OTHER BOMBS AVAILABLE.You can add a custom message your taget will see - Enter is custom message box or leave blank.This attack works with any Email account.Victims Email account will become bomded and spammed forever.Email's will be sent to the victims account everyday.This Email BOMB is serious!! Not some weak shit!Many Email accounts will stop accepting Email's after only a couple of days.Gmail,Bing . . accounts become unusable with too much inbound email.The email scripts I use for this attack produce ~100,000 Emails a month.The script also injects your victims Email account into known spammer databases. Your victims Email address will be harvested by other Email harvesters and spammed again.I have been told from many blackhat's this email attack is overkill. WARNING THIS EMAIL ATTACK CAN REALLY DAMAGE BUSINESS/COMPANIES !! THE ATTACK CANNOT BE UNDONE !! http://bitcoin-advertising.com/email.htm http://bitcoin-advertising.com/email.htm


RSS feed for comments on this page | RSS feed for all comments