Ever since the AP article reporting on Ganesh Devarajan from TippingPoint (a 3-com company) and his presentation at the Devcon hackers' conference last week, there has been a very interesting thread on the SCADA list. Fundamentally, however, most people on the list are saying that the problem is that reporters scare people. That's not the problem. Here's what I just posted there:
You are all missing the point, unfortunately.NERC just published a NOPR for the non-nuclear electric utilities in the US.Congressmen, Senators, state legislators, governors, and CEOs of major corporations, including utilities, know beans about automation in general and SCADA in particular. Crikey, the US Government still doesn't understand that SCADA and plant automation systems are different!The fact that the reporters don't know what they are talking about is the point.They are who get listened to. The rule-makers only know what they read in the papers and hear on TV. The people who put the rule-makers in office are getting the message that we aren't able to keep our own house in order.They will certainly help us to do that.If NERC can make rules for all utilities' implementations of control systems, which they've never had the ability, authority, or desire to do before, except in the nuclear plants, DHS can certainly assert the same authority over all control systems everywhere. And if you are outside the US, so can your government.After all, there are terrorists under every bridge, you know. And control systems, despite what Jack Brodsky hopes, ARE clearly covered by Sarbanes-Oxley. The camel has not only his nose, but his entire body under the tent.The issue is the same one I've been beating ISA over the head with for over a dozen years. We don't tell people outside our profession what the heck it is we do. Nobody knows. So they all think we don't do anything special. And if some goof stands up at a hackers' convention and tells people he can bring down any control system, how are the hoi polloi going to know any different? They sure won't know from us, because we don't tell them.Did the President of ISA, or IEEE or AWWA, or EPRI go on TV to talk about SCADA safety? No, and maybe not yet.Should they?Unless you want to work for your respective government security agencies, they'd better.