[SCADASEC] Fw: Fwd: Bolivia: Group Threatens Water Cutoff

Bob Radvanovsky rsradvan at unixworks.net
Wed Aug 27 15:04:41 CDT 2008 

On behalf of "Mycurial"...

-rad

----- Original Message -----
From: Myrcurial [mailto:myrcurial at 100percentgeek.net]
To: Bob Radvanovsky [mailto:rsradvan at unixworks.net]
Subject: Fwd: [SCADASEC] Bolivia: Group Threatens Water Cutoff


> No dice.
> 
> Here's the content....
> 
> 
> ---------- Forwarded message ----------
> From: Myrcurial <myrcurial at 100percentgeek.net>
> Date: Wed, Aug 27, 2008 at 3:42 PM
> Subject: Re: [SCADASEC] Bolivia: Group Threatens Water Cutoff
> To: scadasec at news.infracritical.com
> 
> 
> On Wed, Aug 27, 2008 at 9:36 AM, Adriel Desautels <adriel at netragard.com>
> wrote:
> 
> > Something that I've been working to wrap my mind around is which threat
> > is more capable, cyber or physical?
> >
> 
> I think that the physical threat is much more capable as the extent
> and type of damage can be more precisely controlled.
> 
> A few hundred RPGs and some guys in pickup trucks can cause
> semi-permanent damage (greater than 3 months to repair) to a
> sufficiently large number of facilities for less than $500k.
> 
> As Norm Dang pointed out on the other list, a chop saw to the base of
> a tower is more damaging than a single non-responsive RTU.
> 
> 
> On the other hand, a well co-ordinated logical/"cyber" effort (effort
> approximately 2 orders of magnitude greater than simple physical
> attack) could cause a temporary disruption (less than 2 days to
> repair) and would likely not be repeatable due to the kind of response
> that most utility comp.sec. teams would take - especially with the
> kind of push that some of the new players are bringing to the table
> =-> Oh Hai MikeA, pls kic sum butts at nerque?
> 
> 
> >
> > Is most of that done manually or by computers? If the computers fail,
> > will it still come up in the same amount of time? If the computers fall
> > under the control of a rogue malicious hacker, can he/she prevent the
> > systems from coming back online? Can a hacker cause a meltdown or
> > chemicals to be vented into the air?
> 
> 
> Without telemetry and nodal calculations, it is unlikely that the
> current grid could be brought up by hand. If the grid were built to
> the specifications used in 1925, then yes, it could - there would be
> sufficient excess capacity and safety that even a very poorly managed
> blackstart would happen correctly. But. The private companies who own
> most of the North American infrastructure have spent the last 30 years
> cutting corners and increasing the load on the system without
> increasing the capacity of the system.  Heck, the new PMUs that NERC
> keeps prattling on about will make it easier to run the grid even
> closer to the theoretical maximum performance without dropping
> additional money on actual transmission infrastructure. That said,
> critical islands of power with reliability higher than 25% could be
> created using pre-computed models for the most stable parts of the
> generation/distribution/load map.
> 
> Depending on exactly what kind of attack is done (and not a Modbus or
> DNP3 l337 H4x0r), the controlling elements will be damaged but may be
> rebuilt from offline stored backups.  It will take some time to sever
> all of the comm links, but once accomplished, they should be able to
> start bringing up individual systems (black start generators
> sufficient to start the larger generators) and work towards merging
> the various islands of power. It will be done using a mixture of
> technology and old fashioned people and process -- amazing what an
> engineer can do with a telephone in hand.
> 
> The kind of attack that works well as a movie plot is generally not
> going to happen in the real world -- a point I tried to make at DEFCON
> -- the *safety* systems will cause a failing system to come to rest in
> a safe state.  That's what they do. And the engineering behind them is
> the kind of engineering we're asking be built into *control* systems
> -- assume the worst and arrive at a safe state.  Out of control nukes
> don't meltdown, they shut down. The operators (of all large systems,
> thermal, hydro and nukes) are amongst the most conscientious,
> altruistic people I've ever had the pleasure of working with and I can
> categorically say that they would personally walk into the fire to use
> the quaternary shut down systems by hand before they'd fail in the
> very personal promise they've made to keep the rest of us safe.
> 
> I don't know that it's a useful answer, but I think I summed it up
> best when Dan Kaminsky asked "What happens when you fuzz a SCADA
> device?" and I said (after some intervening talk): "The cookie plant
> knows how to shut down, it doesn't make Oreos that kill you."
> 
> 
> ~M
> 
-------------- next part --------------
No dice.

Here's the content....


---------- Forwarded message ----------
From: Myrcurial <myrcurial at 100percentgeek.net>
Date: Wed, Aug 27, 2008 at 3:42 PM
Subject: Re: [SCADASEC] Bolivia: Group Threatens Water Cutoff
To: scadasec at news.infracritical.com


On Wed, Aug 27, 2008 at 9:36 AM, Adriel Desautels <adriel at netragard.com> wrote:

> Something that I've been working to wrap my mind around is which threat
> is more capable, cyber or physical?
>

I think that the physical threat is much more capable as the extent
and type of damage can be more precisely controlled.

A few hundred RPGs and some guys in pickup trucks can cause
semi-permanent damage (greater than 3 months to repair) to a
sufficiently large number of facilities for less than $500k.

As Norm Dang pointed out on the other list, a chop saw to the base of
a tower is more damaging than a single non-responsive RTU.


On the other hand, a well co-ordinated logical/"cyber" effort (effort
approximately 2 orders of magnitude greater than simple physical
attack) could cause a temporary disruption (less than 2 days to
repair) and would likely not be repeatable due to the kind of response
that most utility comp.sec. teams would take - especially with the
kind of push that some of the new players are bringing to the table
=-> Oh Hai MikeA, pls kic sum butts at nerque?


>
> Is most of that done manually or by computers? If the computers fail,
> will it still come up in the same amount of time? If the computers fall
> under the control of a rogue malicious hacker, can he/she prevent the
> systems from coming back online? Can a hacker cause a meltdown or
> chemicals to be vented into the air?


Without telemetry and nodal calculations, it is unlikely that the
current grid could be brought up by hand. If the grid were built to
the specifications used in 1925, then yes, it could - there would be
sufficient excess capacity and safety that even a very poorly managed
blackstart would happen correctly. But. The private companies who own
most of the North American infrastructure have spent the last 30 years
cutting corners and increasing the load on the system without
increasing the capacity of the system.  Heck, the new PMUs that NERC
keeps prattling on about will make it easier to run the grid even
closer to the theoretical maximum performance without dropping
additional money on actual transmission infrastructure. That said,
critical islands of power with reliability higher than 25% could be
created using pre-computed models for the most stable parts of the
generation/distribution/load map.

Depending on exactly what kind of attack is done (and not a Modbus or
DNP3 l337 H4x0r), the controlling elements will be damaged but may be
rebuilt from offline stored backups.  It will take some time to sever
all of the comm links, but once accomplished, they should be able to
start bringing up individual systems (black start generators
sufficient to start the larger generators) and work towards merging
the various islands of power. It will be done using a mixture of
technology and old fashioned people and process -- amazing what an
engineer can do with a telephone in hand.

The kind of attack that works well as a movie plot is generally not
going to happen in the real world -- a point I tried to make at DEFCON
-- the *safety* systems will cause a failing system to come to rest in
a safe state.  That's what they do. And the engineering behind them is
the kind of engineering we're asking be built into *control* systems
-- assume the worst and arrive at a safe state.  Out of control nukes
don't meltdown, they shut down. The operators (of all large systems,
thermal, hydro and nukes) are amongst the most conscientious,
altruistic people I've ever had the pleasure of working with and I can
categorically say that they would personally walk into the fire to use
the quaternary shut down systems by hand before they'd fail in the
very personal promise they've made to keep the rest of us safe.

I don't know that it's a useful answer, but I think I summed it up
best when Dan Kaminsky asked "What happens when you fuzz a SCADA
device?" and I said (after some intervening talk): "The cookie plant
knows how to shut down, it doesn't make Oreos that kill you."


~M

More information about the scadasec mailing list