[Info-vax] DCL vulnerability write up on The Register
johnwallace4 at yahoo.co.uk
johnwallace4 at yahoo.co.uk
Thu Feb 22 05:11:23 EST 2018
On Wednesday, 21 February 2018 21:27:48 UTC, Stephen Hoffman wrote:
> On 2018-02-21 21:25:34 +0000, Stephen Hoffman said:
>
> > ...
>
> ps: SCADA networks and security: https://dragos.com/blog/trisis/TRISIS-01.pdf
>
>
> --
> Pure Personal Opinion | HoffmanLabs LLC
>From the referenced piece:
"The [PLC etc] was configured with the physical
keyswitch in ‘program mode’ during operation.
If the controller is placed in Run mode (program
changes not permitted), arbitrary changes in logic
are not possible substantially reducing the
likelihood of manipulation."
Really? People need 'security researchers' to tell
them this?
And then it gets better.
"the attack of an SIS cannot be taken lightly but
should not be met with hype and fear. "
and
"[we] caution the community not to use this attack
to further other causes as the impact of hype can
be far-reaching and crippling."
So the "security researcher" produce twenty pages
of mostly hype, which could perhaps conveniently
be summarised as
"Don't panic" (in large friendly letters)
and for those with greater reading skills:
"start making sure that you do properly what
you should have been doing properly for the
last few decades, the stuff which has often
been documented as 'best practice' but
equally often been considered insufficently
shiny or too tedious or insufficiently
profitable or [whatever]"
The whitepaper does at least point out that
it's useful to understand the normal behaviour
of a given system, so that abnormal behaviour
can serve as a warning that all is not well.
But that understanding takes time, and
knowledge, and in the case of control systems,
the behaviour of the system when outside normal
operational parameters may have good reason to
be different from what it normally does. So
how does anyone reliably tell the difference
between "out of normal operating range" and
"under attack" ? I wonder if the answer might
be to consult a security researcher?
Which might be a bit like consulting a
forensic fire analyst to identify what
caused a fatal building fire, when what
really needs doing is finding out why
the known and documented fire resistance
standards and procedures had been
repeatedly ignored for the sake of
convenience.
Details matter, eventually.
"Safeguarding civilization".
Maybe.
More information about the Info-vax
mailing list