[SCADASEC] Fw: Fwd: Bolivia: Group Threatens Water Cutoff

Allan McDougall amcdougall at evolutionarysecurity.ca
Wed Aug 27 17:18:28 CDT 2008 

This really depends on the kinds of threats that you are looking at.

First, we continuously attempt to divide the threat package into
stovepipes...I would argue that this is not the case and that security folks
in general (yes, I mean all of us) are trying to work our way out of
fighting the last war. I would put forward that concerted attacks will
involve elements that exploit personnel, physical, logical, control and
oversight vulnerabilities to their best advantage.

A small scale attack may involve only one or two elements. A capable threat
element may attempt to use two or more of these elements to advantage. If
you get into state-level actors, you may want to have the whole gamut lined
up.

If looking at a threat with sufficient knowledge, skills, abilities and
resources, I would propose that the challenge between the IT and process
control system communities (my apologies if I have missed the correct
terminology) is actually mirrored across the full security and
infrastructure assurance domains--a significant challenge associated with
the stovepiping of systems and training that has disconnected that which
should logically work together.

Knocking a hydro pole down or a tower down is not too bad as long as you can
locate it quick enough--that lesson was learned up here in the ice storm of
98. The main challenge there wasn`t so much that a tower went down...it was
that literally hundreds of towers, poles and other infrastructure thundered
in. At the same time, knock out some distribution nodes and that sort of
infrastructure at the same time as some other points (not likely to be
discussed here...sorry), then things might get a bit more calculated.

I would propose that if you look for the key decision making points,
information and awareness locations, control points and key personnel you
have probably made a good start...but will still have work to do

Al 


> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com [mailto:scadasec-
> bounces at news.infracritical.com] On Behalf Of Bob Radvanovsky
> Sent: August-27-08 4:05 PM
> To: scadasec at news.infracritical.com
> Subject: [SCADASEC] Fw: Fwd: Bolivia: Group Threatens Water Cutoff
> 
> On behalf of "Mycurial"...
> 
> -rad
> 
> ----- Original Message -----
> From: Myrcurial [mailto:myrcurial at 100percentgeek.net]
> To: Bob Radvanovsky [mailto:rsradvan at unixworks.net]
> Subject: Fwd: [SCADASEC] Bolivia: Group Threatens Water Cutoff
> 
> 
> > No dice.
> >
> > Here's the content....
> >
> >
> > ---------- Forwarded message ----------
> > From: Myrcurial <myrcurial at 100percentgeek.net>
> > Date: Wed, Aug 27, 2008 at 3:42 PM
> > Subject: Re: [SCADASEC] Bolivia: Group Threatens Water Cutoff
> > To: scadasec at news.infracritical.com
> >
> >
> > On Wed, Aug 27, 2008 at 9:36 AM, Adriel Desautels
> > <adriel at netragard.com>
> > wrote:
> >
> > > Something that I've been working to wrap my mind around is which
> > > threat is more capable, cyber or physical?
> > >
> >
> > I think that the physical threat is much more capable as the extent
> > and type of damage can be more precisely controlled.
> >
> > A few hundred RPGs and some guys in pickup trucks can cause
> > semi-permanent damage (greater than 3 months to repair) to a
> > sufficiently large number of facilities for less than $500k.
> >
> > As Norm Dang pointed out on the other list, a chop saw to the base of
> > a tower is more damaging than a single non-responsive RTU.
> >
> >
> > On the other hand, a well co-ordinated logical/"cyber" effort (effort
> > approximately 2 orders of magnitude greater than simple physical
> > attack) could cause a temporary disruption (less than 2 days to
> > repair) and would likely not be repeatable due to the kind of
> response
> > that most utility comp.sec. teams would take - especially with the
> > kind of push that some of the new players are bringing to the table
> > =-> Oh Hai MikeA, pls kic sum butts at nerque?
> >
> >
> > >
> > > Is most of that done manually or by computers? If the computers
> > > fail, will it still come up in the same amount of time? If the
> > > computers fall under the control of a rogue malicious hacker, can
> > > he/she prevent the systems from coming back online? Can a hacker
> > > cause a meltdown or chemicals to be vented into the air?
> >
> >
> > Without telemetry and nodal calculations, it is unlikely that the
> > current grid could be brought up by hand. If the grid were built to
> > the specifications used in 1925, then yes, it could - there would be
> > sufficient excess capacity and safety that even a very poorly managed
> > blackstart would happen correctly. But. The private companies who own
> > most of the North American infrastructure have spent the last 30
> years
> > cutting corners and increasing the load on the system without
> > increasing the capacity of the system.  Heck, the new PMUs that NERC
> > keeps prattling on about will make it easier to run the grid even
> > closer to the theoretical maximum performance without dropping
> > additional money on actual transmission infrastructure. That said,
> > critical islands of power with reliability higher than 25% could be
> > created using pre-computed models for the most stable parts of the
> > generation/distribution/load map.
> >
> > Depending on exactly what kind of attack is done (and not a Modbus or
> > DNP3 l337 H4x0r), the controlling elements will be damaged but may be
> > rebuilt from offline stored backups.  It will take some time to sever
> > all of the comm links, but once accomplished, they should be able to
> > start bringing up individual systems (black start generators
> > sufficient to start the larger generators) and work towards merging
> > the various islands of power. It will be done using a mixture of
> > technology and old fashioned people and process -- amazing what an
> > engineer can do with a telephone in hand.
> >
> > The kind of attack that works well as a movie plot is generally not
> > going to happen in the real world -- a point I tried to make at
> DEFCON
> > -- the *safety* systems will cause a failing system to come to rest
> in
> > a safe state.  That's what they do. And the engineering behind them
> is
> > the kind of engineering we're asking be built into *control* systems
> > -- assume the worst and arrive at a safe state.  Out of control nukes
> > don't meltdown, they shut down. The operators (of all large systems,
> > thermal, hydro and nukes) are amongst the most conscientious,
> > altruistic people I've ever had the pleasure of working with and I
> can
> > categorically say that they would personally walk into the fire to
> use
> > the quaternary shut down systems by hand before they'd fail in the
> > very personal promise they've made to keep the rest of us safe.
> >
> > I don't know that it's a useful answer, but I think I summed it up
> > best when Dan Kaminsky asked "What happens when you fuzz a SCADA
> > device?" and I said (after some intervening talk): "The cookie plant
> > knows how to shut down, it doesn't make Oreos that kill you."
> >
> >
> > ~M
> >

More information about the scadasec mailing list