[9fans] kind of interesting

[9fans] kind of interesting

[ron minnich]

our power grid in the US is, well, interesting:
http://www.ncsa.uiuc.edu/People/hkhurana/IFIP_CIP_08.pdf

yowie.

ron

Re: [9fans] kind of interesting

[Jason Gurtz]

On 7/2/2008 09:34, ron minnich wrote:
> our power grid in the US is, well, interesting:
> http://www.ncsa.uiuc.edu/People/hkhurana/IFIP_CIP_08.pdf

Additional interest might be found in CIP-001-1 thru CIP-009-1 found at
<http://www.nerc.com/~filez/standards/Reliability_Standards_Regulatory_Approved.html>

It would be great if Plan 9 was running on some of these embedded
devices or in the control room in a monitoring and control role but it
seems like VxWorks/Windows/Linux is too popular.

I will tell you this:  There is money to be made in this SCADA sector
and since it's all still semi-proprietary, people are used to forklift
upgrades and don't care as much about preserving the platform.  Utility
related GIS systems are another fertile ground.

I wince when I see the invoices.

~JasonG

--

Re: [9fans] kind of interesting

[John Waters]

Some time ago I was a pen-tester for a govt contractor.
After a few months into my then new career I found myself constantly
terrified of the state of affairs of our infrastructure.
That was 13 years ago, I honestly hope that things have improved. I
tell myself that  they have just to not hole myself up in a bunker
with an AR15, iodine tablets, and Hunter S. Thompson's (ex) personal
stash of dinty moore beef stew.

I read the abstract for this paper in the very recent past and I was
not at all surprised, it seems to be indicative of everything that is
wrong with the information systems that run our critical
infrastructure. It terrifies me that what protects us is not good
security, but the lack of skill, imagination, and impetus of our
adversaries.

I have been doing some single sign on related "work" at a big
financial institution in the middle east, as a result I have been
finding all kinds of really silly bugs in pretty important software
(again, not naming names), and I am not that smart of a guy. There's
simply no way to get away from the feeling that despite all of the
hard work applied to security, the core software systems that actually
handle critical data are still either totally insecure or far too easy
to misconfigure in an insecure manner.

Marcus Ranum was right, there is simply no patch for stupidity.

jcw

On Wed, Jul 2, 2008 at 6:49 PM, Jason Gurtz <jason@jasongurtz.com> wrote:
> On 7/2/2008 09:34, ron minnich wrote:
>> our power grid in the US is, well, interesting:
>> http://www.ncsa.uiuc.edu/People/hkhurana/IFIP_CIP_08.pdf
>
> Additional interest might be found in CIP-001-1 thru CIP-009-1 found at
> <http://www.nerc.com/~filez/standards/Reliability_Standards_Regulatory_Approved.html>
>
> It would be great if Plan 9 was running on some of these embedded
> devices or in the control room in a monitoring and control role but it
> seems like VxWorks/Windows/Linux is too popular.
>
> I will tell you this:  There is money to be made in this SCADA sector
> and since it's all still semi-proprietary, people are used to forklift
> upgrades and don't care as much about preserving the platform.  Utility
> related GIS systems are another fertile ground.
>
> I wince when I see the invoices.
>
> ~JasonG
>
> --
>
>