CG1310-hard-hat
CG1310-hard-hat
CG1310-hard-hat
CG1310-hard-hat
CG1310-hard-hat

Reader Feedback: What Color Is Your Hat?

Oct. 10, 2013
Black Hat Caters to the Hackers and Security Researchers Primarily from the IT Community, as Well as the Press

In his Unfettered blog post, "Hard Hat vs. Black Hat," Joe Weiss takes on the hacker community and its relationship to critical infrastructure protection. He says, "Black Hat caters to the hackers and security researchers primarily from the IT community, as well as the press. It does not cater to the control systems engineers who maintain and operate these systems. Many of the more sensational presentations do not represent what is actually used, or how they are actually used in control system environments. The wireless oil industry hacking presentation was an example of hacking a protocol that is generally not used by the oil industry. The protocol that was hacked, Zigbee, has known vulnerabilities, and is used in home area networks for smart grid, not large industrial applications such as pipelines or power plants.

"Kyle Wilhoit's presentation on ICS honeypots was terrific and demonstrates a point that is too often overlooked. A small end user can be a target because it is small. Several years ago, the 'Illinois water hack' was pooh-poohed because many questioned who would want to target a small water utility in central Illinois. This is important because a small water utility has the same control systems as a large power plant or refinery. Moreover, a small electric utility is also connected to its larger neighbors, making it a back door into the larger utilities.

"It is not difficult to demonstrate the sky could be falling. It is more important to know if the demonstrations have relevance to critical infrastructure applications."

Bob Radvanovsky adds, "I agree wholeheartedly with this blog article. The black/white/grey/red/yellow hats are looking for something to make them famous. It has nothing to do with 'doing the right thing' by protecting our infrastructures If ‘dot-hats' (use your favorite color) were truly wanting to protecting critical infrastructure cyber assets, they would contact their federal/national governments and coordinate with them. The conferences such as DefCon, Black Hat, et. al show this  because it is something new for the hackers to prey upon. Remember: Hackers love challenges, even the ones who want to extort, destroy, damage, pillage, etc."