Giving the Black Hats the keys to the store…

Training the Bad Guys Dale Peterson’s April 22nd blog had the following: “Jason Larsen’s presentation on SCADA and Control System hacking from Blackhat Federal 08 is now available.” There has been a prevailing view that control systems are secure because they are so arcane and obscure. However, the area of “SCADA Security” is making its way into the mainstream community, and worse, the hacking community. As long as four years ago, presentations were being made at “Black Hat” (hacker) conferences on “SCADA security”. Some of these presentations may not have been technically accurate, but they have spurred interest in the subject by individuals we would rather not be involved. In fact, about three years ago, SAIC gave a presentation at a Black Hat Conference on how to hack control systems. What made this presentation unique and scary was that it provided bit-by-bit instructions on how to hack specific control system protocols. I personally have worked with Jason on vulnerability assessments when he was at INL and with the initial control system cyber attack demonstration at INL in 2004. Jason is very knowledgeable.  Consequently, when I found out he had given a presentation at Black Hat, I was extremely concerned. What’s more, Jason is scheduled to give two training classes on hacking PLCs at Black Hat in Las Vegas in August. When I asked him why, his answer was they were interested. Of course they are. Wouldn’t a bank robber want to know how to rob a bank? But just because they are interested is not an excuse to train the “bad guys.”  You can’t legislate ethics, but common sense should prevail. Joe Weiss
Show Comments
Hide Comments

Join the discussion

We welcome your thoughtful comments.
All comments will display your user name.

Want to participate in the discussion?

Register for free

Log in for complete access.


  • <p>Jason's actions are a judgment call. He may have decided that the time to remain discreet about such vulnerabilities is gone. I disagree, and I suspect you disagree too. However, there really isn't any other forum where such things can get discussed freely.</p> <p>So he's going public. I wish he wouldn't --especially among Black Hats. But we're not getting far with the efforts to stay discreet about this stuff. His actions could be viewed as a necessary sacrifice to force us toward better reporting organizations, standards, and (ugh) regulation.</p>


  • <p>Funny, I had the same thoughts about Jason's presentation at Black Hat. Why would someone like him do that?</p> <p>Even though the blackhats try hard to create an image that's all about security, freedom, and David vs. Goliath stuff, most of us have a sense that all too often this is just an excuse for stupid or criminal activities, or to make some money with what you're doing for fun anyway -- how many companies have already contracted hackers as "security experts"? I believe there still is a solid line between "us" and "them", and I was puzzled to see an ex-INL employee go to bed with the hackers. You can't do that without losing your reputation. If one wants to educate security folks about SCADA problems, there are certainly better venues for doing that.</p>


  • <p> Unfortunately, it is no longer 1994 and asset owners can no longer hope to benefit from outmoded security through obscurity policies to protect their process control systems.  We all know nation states are actively taking advantage of this dated and wrong headed philosphy that puts us all at risk.  This has taken place with or without the public dissemnation of process control security data. </p> <p> It's 2009, and the world is not becoming any safer in the cyber theater and vulnerable control systems are a favorite target of our shared assailant. It is not the time for infighting within the community, and casting unfounded judgements.  It is however time to work together towards securing the future of the nation and fostering real solutions to this situation. </p> <p> Ignorance is unbecoming.  Joe, we all encourage you to challenge your preconceived notions and attend a BlackHat conference in person before you jump to conclusions and judge other people's professional ethics.  Afterall, 1500 of the BlackHat USA attendees are from the federal government seeking to gain knowledge.  Do you think any of them enjoyed Jason's class?  I would encourage you to ask next time. </p>


RSS feed for comments on this page | RSS feed for all comments