[SCADA] Ethics in the media and the industry

Myrcurial myrcurial at gmail.com
Sat Apr 12 00:29:36 EST 2008 

I guess the part that I don't understand is why the
SCADA-using-industries / control systems engineers are so upset when
stories (both the Winkler presentation and the Weiss presentation at
RSA 2008) like this comes out.

I think the ethical standard that should be maintained is relevant on
the part of the researcher as well as on the part of the media and
implicitly on the part of the consumer of that media.

For the researcher, please follow your own ethical guidelines.  If
you're like me, you're stuck with ISACA's Code of Ethics (CISA), if
you're a human - do what you think is wholesome and right, if you're a
nasty black hat anarchist world-hater, do what you've got to do.
(Please note, not all pseudonyms equal bad guys.)

For the media, please follow your own ethical guidelines. If you're a
1st tier publisher/organization (there are less and less every day)
then follow the guidelines that have worked for the last 100 years. If
you're considered mainstream USian media, continue fear-mongering on
the scale to which you've become accustomed. If you're a sleazy
tabloid rag, the aliens do control the power plants and hackers will
eat your children through face space.

For the citizen, please use your brain. Parse information from
multiple sources and do some determination of what the truth might be.
If you can't, well... Nothing anyone can do or say will help you.  You
should probably move into a bunker and wait for the Rapture.

Topically, do I think that a hired penetration testing consultant
could break into a power company from the internet and materially
affect internal systems?  Yes. I've done it myself. Three times. I
also couldn't do it twice.  The odds are sufficiently in favour of the
"FUD".

Am I waiting patiently for anyone from the control side of the problem
to stand up and tell anyone what is and isn't possible in real life on
real systems? Yes. But they haven't.

So - setting ethical issues and reporting aside, does the Emperor have
any clothes on?

The jury is still out.  In my experience, the Emperor is naked and
looking more and more foolish every day.

~Myrcurial

On Fri, Apr 11, 2008 at 9:11 AM, Kevin McGrath
<Kevin.M.Mcgrath at us.ngrid.com> wrote:
> Howdy Ron et al,
>
>  FWIW an example of a previous Winkler FUD event from last October is
>  attached, if that makes it through to the list.
>
>  Anyway regarding the much more important point about media behavior in
>  publishing these articles but, not for nothing, don't reporters have to
>  vett their sources? I remember something about having at least two
>  independent confirmations before publishing something or has that all
>  gone by the board in the news profession? These people also generally
>  work for editors and/or publishers who should be insisting that they
>  check their facts first.
>
>  It seems that they just publish this stuff, willy-nilly, because they
>  think they can get a quick headline and sell more papers or get more web
>  hits or whatever pays their bills these days.
>
>  All we can do is keep jumping on them in public when they do print this
>  crap & keep ignoring those FUD meisters out there.
>
>  Regards,
>  Kevin
>
>
>  Stephan Beirer wrote:
>  > Ron,
>  >
>  >> Moving forward and in an attempt to encourage some more beneficial
>  >> discussion perhaps the media report can be used as poor example of
>  >> ethical "black hat" & Media behaviour and we can maybe look at what
>  >> traits the industry is looking for with people that achieve
>  >> excellence in the industry with respect to ethics.
>  >
>  > what exactly is 'unethical' about Ira's presentation?
>  >
>  >
>  > regards,
>  >
>  > stephan
>  >
>
>  **** For your information: KeySpan is now part of National Grid.****
>
>
>  ********************************************************************************
>  This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.
>
>
>
> ---------- Forwarded message ----------
> From: Kevin McGrath <kmcgrath at keyspanenergy.com>
> To: Discussion of SCADA standards <scada at lists.iinet.net.au>
> Date: Wed, 17 Oct 2007 09:29:50 -0400
> Subject: [SCADA] How to Take Down the Power Grid
> Howdy,
>
>  This guy, Ira Winkler, seems a bit full of himself and while he
>  criticizes the recent DHS generator video as FUD:
>
>  > Again, the news video of the generator blowing itself up is really
>  > cheesy, and too much was made of that individual demonstration.
>  > However, that is really a misapplication of the video, which was
>  > released to create fear, uncertainty, and doubt. It should be
>  > interpreted to mean: If a malicious party were to connect to a SCADA
>  > system, here is one, small result. More importantly, it is easy for
>  > malicious parties to connect to many systems throughout the power
>  > grid and create damage on a massive scale with the proper planning.
>
>  He seems to have no problem spreading his own around:
>
>  > I hope the intent of the DHS was to create enough fear for Congress
>  > to start writing laws that force power companies to secure their
>  > computers. Right now, computer security on the power grid is an
>  > oxymoron. The reality is that Congress doesn't have the balls to pass
>  > such laws, bowing to the mind games of power company lobbyists like a
>  > storm trooper bowing to the mind games of a Jedi.
>
>  The entire article link is below with a tip o' the hat to the IT guy who
>  maintains our SCADA firewall:
>
>  http://www.internetevolution.com/author.asp?doc_id=136047&f_src=drnewsal
>
>  Regards,
>  Kevin
>  --
>  Kevin M. McGrath, CISSP, TCSP-P
>  Lead Analyst | Gas SCADA Support
>  Critical National Infrastructure (CNI) | KeySpan Energy Delivery
>  Office: (718)403-2910 | Cell: (917)939-8569 Nextel 172*86*2119
>  kmcgrath at keyspanenergy.com
>
>
>  **** For your information: KeySpan is now part of National Grid.****
>
>
>  ********************************************************************************
>  This e-mail and any files transmitted with it, are confidential to National Grid and are intended solely for the use of the individual or entity to whom they are addressed.  If you have received this e-mail in error, please reply to this message and let the sender know.
>
>  The content of the SCADA Mailing list messages is copyright. Redistribution of the contents of messages is not permitted except within a subcriber's organisation (eg company). Redistribution via Internet mailing lists is expressly forbidden without the permission of the copyright owner._______________________________________________
>  Scada mailing list
>  scada at lists.iinet.net.au
>  http://lists.iinet.net.au/cgi-bin/mailman/listinfo/scada
>
> The content of the SCADA Mailing list messages is copyright. Redistribution of the contents of messages is not permitted except within a subcriber's organisation (eg company). Redistribution via Internet mailing lists is expressly forbidden without the permission of the copyright owner.
>  _______________________________________________
>  SCADA mailing list
>  scada at scadaperspective.com
>  http://scadaperspective.com/mailman/listinfo/scada_scadaperspective.com
>
>

More information about the SCADA mailing list