Hard hat vs Black hat - the hype versus reality

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

Black Hat caters to the hackers and security researchers primarily from the IT community as well as the press. It does not cater to the control systems engineers who maintain and operate these systems. Many of the more sensational presentations do not represent what is actually used, or how they are actually used, in control system environments. The wireless oil industry hacking presentation was an example of hacking a protocol that is generally not used by the oil industry. The protocol that was hacked, Zigbee, has known vulnerabilities and is used in home area networks for smart grid, not large industrial applications like pipelines or power plants.

Kyle Wilhoit's presentation on ICS honeypots was terrific and demonstrates a point that is too often overlooked. A small end-user can be a target because they are small. Several years ago, the "Illinois water hack" was pooh-poohed because many questioned who would want to target a small water utility in central Illinois. Kyle's presentation demonstrated there are many "nation-states" and others actively trying to hack a small water utility in Missouri. This is important because a small water utility has the same control systems as a large power plant or refinery. Moreover, a small electric utility is also connected to their larger neighbors making them a back door into the larger utilities.

It is not difficult to demonstrate the sky could be falling. It is more important to know if the demonstrations have relevance to critical infrastructure applications.

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • Spot on!

    Reply

  • I would agree wholeheartedly with this blog article. The black/white/grey/red/yellow hats are looking for something to make them famous. It has nothing to do with "doing the right thing" by protecting our infrastructures (and BTW, this isn't just for the U.S. alone, but...EVERYWHERE throughout the World). If dot-hats (use your favorite color from the 2nd sentence) were truly wanting to protecting critical infrastructure cyber assets, they would contact their federal/national governments and coordinate with them. The fact that conferences such as DEFCON, Black Hat, et. al show this, is because it is something new for the hackers to pry upon. Remember: hackers *LOVE* challenges, even the ones who *want* to extort, destroy, damage, pillage, etc.

    Reply

RSS feed for comments on this page | RSS feed for all comments