SANS SCADA Security Webcast

I just listened to a SANS SCADA Security webcast. I found the first half or so more interesting than the last half. The audio should be available by tomorrow, and the slides are already posted.

I liked listening to Eric Byres. He described his work with the Industrial Security Incident Knowledgebase. This is real data supplied by 22 companies with SCADA implementations. The price of access to the database is providing at least one case study of a SCADA security event. I thought this was a novel way to encourage disclosure of security incidents.

I found the following slide surprising.



Yes, 17% of the incidents involved SCADA (or PLC or DCS) systems directly connected to the Internet. Eric said 80-90% of control systems are connected to business systems that are then connected to the Internet. He also said the so-called "air gap" is a "myth."

In 2001 Eric noted an increase in the number of attacks from outsiders. Does this sound familiar?



As I noted before, recidivist internal threats are the easiest to prevent because you can fire the perpetrator and preferably prosecute him/her (assuming you identify the perpetrator). Try doing the same with an unnamed recidivist attacker from a jump box in Romania!

This slide shows financial impact.



I recommend listening to at least the first half of the webcast before you jump all over my thoughts, Slashdot-style. If you heard the whole webcast already, please feel free to comment.

You might find all of the slides useful too.

Comments

Unknown said…
I will definitely look for this. Talks and data like this help align what everyone (media, politicians, professional "talkers...") keeps talking about with actual reality.

Like your mention, stop talking about air gap if the reality is that is just doesn't exist right now. IT (or others farther up the chain) exagerrating their security and inflating what they do with wildly lenient interpretations of regulations or wild delusions of their own systems and processes is quickly becoming a pet peeve of mine...
Anonymous said…
Rich:

This is a good thing to focus attention on. I had the pleasure of talking (too briefly) to one of the folks involved in this project while at Metricon. I asked various pointed questions, and at every turn it looked as though the folks involved had thought the issue through and had proactively addressed my concern. Good stuff.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics