[cta at hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']

Roy M. Silvernail roy at rant-central.com
Sat Aug 16 07:13:28 PDT 2003 

On Friday 15 August 2003 22:29, Chris Kuethe wrote:
> On Fri, 15 Aug 2003, Harmon Seaver wrote:
> > Somehow I have difficulty believing the these people could be so totally
> > lame as to be running mission-critical stuff like this on windoze. Please
> > say it isn't true.
>
> it's scary just how much mission-critical stuff runs on windows. i'll
> confess right now to being a unix zealot, so the thought of anything
> mission critical (beyond hotmail and freecell) on windows is scary.

It's not just the reliance on Windows that's scary.  It's the mindset of the 
industrial controls industry, where the concept of security is percieved as a 
hassle for the end customer, and therefore something to be avoided.

10 years ago, I was developing a data collection and reporting program for the 
aircraft industry. The project suffered from creeping featurism, and one of 
the desired features was adding dialup data exchange, so the collection apps 
could send their data to a central location via modem.  When I asked how much 
security was wanted on the dialup port, I was told that none was necessary 
because no one would ever attack the system, and anyway, the data were not 
interesting to outside parties.  10 years ago, perhaps that was an 
understandable position, though certainly naive.  (I still put in a minimal 
challenge/response layer, if only to discourage the C-64 kids with 
wardiallers)

A few weeks ago, I sat in on a meeting to talk over design of a TCP/IP 
Ethernet interface for an existing control system.  When I asked what 
security provisions were envisioned for this interface, I was told that the 
system was not intended for deployment on publicly routed network segments, 
so there was no need for any security protocol.

> i know of some fairly large installations running control systems for power
> generation on windows. these same sites then give the vendors access to the
> system via vpn across the internet. sure there are firewalls, but i don't
> have faith in the long-term maintenance of the vendor sites.

I've just returned from an extensive training seminar on OPC controls 
technology.  The acronym stands for "OLE for Process Control", and it's a 
Microsoft-centric technology built on top of DCOM.  Agt the lower end, OPC 
would let you control a PLC from Excel.  Given the compressed schedule of the 
course (normally three weeks, it was compressed to two for our class) and my 
previous experiences, I didn't try to discuss security at all.  But I noticed 
no authentication layer at all.  Apparently, the security Microsoft natively 
provides for controlling DCOM traffic is all that such an application has 
available.  And as far as I can tell, that would be none.

I suppose I do get a bit of entertainment from the looks on the engineers' 
faces when I bring up threat models and attack scenarios.  Most of them are 
indifferent.  Some are confused.  Some are annoyed.  And one or two have 
understood the threat, but told me that I shouldn't talk to corporate about 
such things because it would make the sales force nervous.

The reactions of sales droids (and even management) has been either dismissive 
(there is no threat) or hostile (I'm the threat).  The most entertaining 
episode was back when UPS was first deploying their DIAD electronic 
clipboard, and I asked what steps were being taken to protect the signature 
data in transit. (There was no protection at all; the signature data were 
retained in the clear and could be dumped by any device that knew the 
protocol. I believe this is still the case.)  That eventually produced a 
regional manager who visited the small company where I was employed.  He was 
visibly irritated that anyone would even ask about such things, and answered 
every threat scenario I presented with "That would never happen!"  He stalked 
off in a huff after I asked him how he would feel if his digitized signature, 
obtained legitimately when he received a package, were to appear at the 
bottom of an incriminating document faxed to his general manager.

Ironically, several of my jobs have included IT duties along with my usual 
engineering tasks.  Those same sales droids and engineers that scoffed at the 
need for security in their industrial controls applications came running to 
me frantically when their workstations became infected with SirCam or Klez.

Security, as Schneier says, is a process.  It's also a mindset, and I think 
one either has the mindset or he doesn't.  And for those that don't have it, 
it is *very* difficult to impart.

More information about the cypherpunks-legacy mailing list