Is the SCADASec listserver losing site of SCADA?

The SCADASec listserver had a rough and tumble week. In my opinion, the original intent of the listserver was to provide a vehicle for the SCADA (control systems) community to discuss control system security issues. At the beginning, it appeared that many of the discussions focused on control system issues by control system personnel with input from IT and security researchers. Subsequent to the Citect disclosures, it seemed the tone and participants shifted from a focus on control system issues to those of vulnerability disclosures, particularly from the security researcher community.

Mark Fabro made the following astute observation: “… Yes, there should be a place to post vulnerabilities and related ideas, but let's face it:  you can do it anywhere and have success.  Most of us hover on 10 or more lists looking for security stuff, so not posting details here is not going to make that much of a difference…I think that Bob has just decided that the list has moved away from its original shape and we need to get back.”

As I mentioned last week, it is starting to get dangerous with what is being openly discussed with the hacking community directly monitoring or participating in the discussions. I do want to mention the other conflict the Clint Bodungen brought up. The bad guys want to learn what is going on and will regardless of what we do. It is the good guys that are generally oblivious and are content to stay that way. I ran into that issue with DOE preparing for last year’s ACS Conference in Knoxville when we were going to have a discussion on control system field device security issues.  Hank Kenchington wouldn’t participate because he didn’t want to make the issue public. Unfortunately, the subject was already public and it is just hurting the good guys (which was obvious from the Aurora discussions at this year’s ACS Conference). I for one am happy to see the listserver get back to its roots.

The CSIS Industrial Control Systems (ICS) White Paper providing cyber security recommendations to the next presidential administration will be published in full. The actual CSIS report (48 pages long) will have a condensed ICS discussion with recommendations (approximately 700 words). The condensed discussion will be provided in next week’s blog.

“The Michigan Public Service Commission has determined that fallen trees, a telephone glitch, and the vastness of the damage were factors that kept more than 700,000 Detroit Edison and Consumers Energy customers without power — some for days — during severe storms between June 6 and 13. Detroit Edison had two problems that may have slowed its response, according to the report. Because an automated customer phone setup malfunctioned — and that problem was not recognized for about a day — the company initially estimated 140,000 customers had lost power. The company then learned the number was actually about 350,000 customers.” Connecting systems such as call management and GIS mapping to SCADA can, and has been, a cyber security issue.