[cta at hcsin.net: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm']
Roy M. Silvernail
roy at rant-central.com
Sat Aug 16 07:13:28 PDT 2003
On Friday 15 August 2003 22:29, Chris Kuethe wrote:
> On Fri, 15 Aug 2003, Harmon Seaver wrote:
> > Somehow I have difficulty believing the these people could be so totally
> > lame as to be running mission-critical stuff like this on windoze. Please
> > say it isn't true.
>
> it's scary just how much mission-critical stuff runs on windows. i'll
> confess right now to being a unix zealot, so the thought of anything
> mission critical (beyond hotmail and freecell) on windows is scary.
It's not just the reliance on Windows that's scary. It's the mindset of the
industrial controls industry, where the concept of security is percieved as a
hassle for the end customer, and therefore something to be avoided.
10 years ago, I was developing a data collection and reporting program for the
aircraft industry. The project suffered from creeping featurism, and one of
the desired features was adding dialup data exchange, so the collection apps
could send their data to a central location via modem. When I asked how much
security was wanted on the dialup port, I was told that none was necessary
because no one would ever attack the system, and anyway, the data were not
interesting to outside parties. 10 years ago, perhaps that was an
understandable position, though certainly naive. (I still put in a minimal
challenge/response layer, if only to discourage the C-64 kids with
wardiallers)
A few weeks ago, I sat in on a meeting to talk over design of a TCP/IP
Ethernet interface for an existing control system. When I asked what
security provisions were envisioned for this interface, I was told that the
system was not intended for deployment on publicly routed network segments,
so there was no need for any security protocol.
> i know of some fairly large installations running control systems for power
> generation on windows. these same sites then give the vendors access to the
> system via vpn across the internet. sure there are firewalls, but i don't
> have faith in the long-term maintenance of the vendor sites.
I've just returned from an extensive training seminar on OPC controls
technology. The acronym stands for "OLE for Process Control", and it's a
Microsoft-centric technology built on top of DCOM. Agt the lower end, OPC
would let you control a PLC from Excel. Given the compressed schedule of the
course (normally three weeks, it was compressed to two for our class) and my
previous experiences, I didn't try to discuss security at all. But I noticed
no authentication layer at all. Apparently, the security Microsoft natively
provides for controlling DCOM traffic is all that such an application has
available. And as far as I can tell, that would be none.
I suppose I do get a bit of entertainment from the looks on the engineers'
faces when I bring up threat models and attack scenarios. Most of them are
indifferent. Some are confused. Some are annoyed. And one or two have
understood the threat, but told me that I shouldn't talk to corporate about
such things because it would make the sales force nervous.
The reactions of sales droids (and even management) has been either dismissive
(there is no threat) or hostile (I'm the threat). The most entertaining
episode was back when UPS was first deploying their DIAD electronic
clipboard, and I asked what steps were being taken to protect the signature
data in transit. (There was no protection at all; the signature data were
retained in the clear and could be dumped by any device that knew the
protocol. I believe this is still the case.) That eventually produced a
regional manager who visited the small company where I was employed. He was
visibly irritated that anyone would even ask about such things, and answered
every threat scenario I presented with "That would never happen!" He stalked
off in a huff after I asked him how he would feel if his digitized signature,
obtained legitimately when he received a package, were to appear at the
bottom of an incriminating document faxed to his general manager.
Ironically, several of my jobs have included IT duties along with my usual
engineering tasks. Those same sales droids and engineers that scoffed at the
need for security in their industrial controls applications came running to
me frantically when their workstations became infected with SirCam or Klez.
Security, as Schneier says, is a process. It's also a mindset, and I think
one either has the mindset or he doesn't. And for those that don't have it,
it is *very* difficult to impart.
More information about the cypherpunks-legacy
mailing list