Hard hat vs Black hat - the hype versus reality

Jan. 1, 2000

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

The issue of critical infrastructure protection, or control system cyber security, is getting to be more popular with the mainstream IT community as demonstrated by the number of presentations at Black Hat. The issue is really separating the real issues from the hype. The first and most important point is that the control systems used in almost all industries were designed for reliability and safety and do that very well. They have reliability numbers of far greater than 99% and operate for as many as 10-15 years. They were not designed to be secure and therefore aren't. That should not be a surprise but apparently it is.

Black Hat caters to the hackers and security researchers primarily from the IT community as well as the press. It does not cater to the control systems engineers who maintain and operate these systems. Many of the more sensational presentations do not represent what is actually used, or how they are actually used, in control system environments. The wireless oil industry hacking presentation was an example of hacking a protocol that is generally not used by the oil industry. The protocol that was hacked, Zigbee, has known vulnerabilities and is used in home area networks for smart grid, not large industrial applications like pipelines or power plants.

Kyle Wilhoit's presentation on ICS honeypots was terrific and demonstrates a point that is too often overlooked. A small end-user can be a target because they are small. Several years ago, the "Illinois water hack" was pooh-poohed because many questioned who would want to target a small water utility in central Illinois. Kyle's presentation demonstrated there are many "nation-states" and others actively trying to hack a small water utility in Missouri. This is important because a small water utility has the same control systems as a large power plant or refinery. Moreover, a small electric utility is also connected to their larger neighbors making them a back door into the larger utilities.

It is not difficult to demonstrate the sky could be falling. It is more important to know if the demonstrations have relevance to critical infrastructure applications.