[Info-vax] DCL vulnerability write up on The Register

johnwallace4 at yahoo.co.uk johnwallace4 at yahoo.co.uk
Thu Feb 22 05:11:23 EST 2018 

On Wednesday, 21 February 2018 21:27:48 UTC, Stephen Hoffman  wrote:
> On 2018-02-21 21:25:34 +0000, Stephen Hoffman said:
> 
> > ...
> 
> ps: SCADA networks and security: https://dragos.com/blog/trisis/TRISIS-01.pdf
> 
> 
> -- 
> Pure Personal Opinion | HoffmanLabs LLC

>From the referenced piece:
"The [PLC etc] was configured with the physical 
keyswitch in ‘program mode’ during operation. 
If the controller is placed in Run mode (program 
changes not permitted), arbitrary changes in logic 
are not possible substantially reducing the 
likelihood of manipulation."


Really? People need 'security researchers' to tell
them this? 

And then it gets better.

"the attack of an SIS cannot be taken lightly but 
should not be met with hype and fear. "
and
"[we] caution the community not to use this attack 
to further other causes as the impact of hype can 
be far-reaching and crippling."

So the "security researcher" produce twenty pages 
of mostly hype, which could perhaps conveniently 
be summarised as 
"Don't panic" (in large friendly letters)
and for those with greater reading skills:
"start making sure that you do properly what
you should have been doing properly for the
last few decades, the stuff which has often
been documented as 'best practice' but 
equally often been considered insufficently
shiny or too tedious or insufficiently 
profitable or [whatever]"


The whitepaper does at least point out that
it's useful to understand the normal behaviour
of a given system, so that abnormal behaviour
can serve as a warning that all is not well.
But that understanding takes time, and 
knowledge, and in the case of control systems,
the behaviour of the system when outside normal
operational parameters may have good reason to
be different from what it normally does. So
how does anyone reliably tell the difference 
between "out of normal operating range" and 
"under attack" ? I wonder if the answer might 
be to consult a security researcher?

Which might be a bit like consulting a 
forensic fire analyst to identify what 
caused a fatal building fire, when what 
really needs doing is finding out why 
the known and documented fire resistance
standards and procedures had been 
repeatedly ignored for the sake of 
convenience.

Details matter, eventually.

"Safeguarding civilization".

Maybe.

More information about the Info-vax mailing list