[SCADASEC] Trusted Insider

[Dogten]

>  Since this is SCADA security how about considering
> what could happen if a trusted insider decided to make a wave?  
> 	How fast can it be detected 
>   
as soon as a utility dropped off the grid it would be detected, the 
question is how long would it take to determine root cause, as opposed 
to core symptom
> 	Can it be stopped 
>   
no
> 	Can it be traced back to the individual or are the SCADA 
> 	devices not very detailed in access logs?
no, SCADA devices very rarely have useful information in the logs. If 
you can't thwart an untrusted outsider then how in the world would you 
thwart a trusted insider. They have access, all they need is motive and 
opportunity. I agree with the premise that traditional enterprise INFO 
SEC doesn't directly correlate. The problem here lies in the thought 
processes. The thing that IT security practitioners fail to recognize 
(along with plant managers) is that a determined hacker with a goal is 
not going to be distracted in the least by the technical tools that are 
truly only designed to deter the nuisance hacker wannabe, or at best a 
script kiddie. Hackers don't thing in terms of enterprise it practices, 
or SCADA practices, rather they think in terms of there is a thing that 
they want to mess with and there is a way to mess with it. What is the 
flaw in the process, that I can subvert. It does not matter if it is a 
physical lock, a card reader, a guard dog, a firewall, x factor 
authentication, etc.

-dogten