« Speaking at ISSA International Conference | Main | Dear People, Enough With the One-Time Code Tokens »

What's the deal with SCADA & Smart Grid?

I have to admit that I don't have any background in SCADA or Smart Grid, nor have I done any research into the topic. That being said, I'd have to be blind to not notice all the references in infosec these past few years to these systems. Shoot, just in the past couple weeks Siemens SCADA network was having issues with a new 0-day of malware (related to LNK files).

Why are SCADA systems connected to the Internet? I just don't see the upside. At all. It seems like these systems were designed to be closed, and that there's not really any good reason for that status to have been changed. So, what am I missing? 10 years ago the hubris-drenched response from energy companies was that we needn't worry as their systems weren't Internet-connected. Now, it seems, we're at the other extreme, with what seems to be no appreciable improvements to infrastructure security.

And then there's Smart Grid. Supposedly there are better security measures in place, but they can't be too good from what I've heard. This one actually completely blows my mind, because if I were to design a networked system like this from scratch, I think I'd start with FIPS-compliant, tamper-proof crypto modules that securely generate and store keys, and then build out from there such that the entire system is based on encrypted channels. I'd leverage IPv6 and IPSEC, hardware-accelerate as much of the crypto as possible, and even make sure that the devices only could run an encrypted and signed firmware. I guess I'm guess crazy that way.

As per usual, it seems that the more things change, the more they stay the same. It's a pity, really, as we've made considerable improvements over the years. Of course, if the financial services industry isn't doing a good job protecting ATMs, then I guess there's no reason to hope that the energy industry would protect the grid. *sigh*

TrackBack

TrackBack URL for this entry:
http://www.secureconsulting.net/MT/mt-tb.cgi/1035

Post a comment

About

This page contains a single entry from the blog posted on July 31, 2010 12:28 PM.

The previous post in this blog was Speaking at ISSA International Conference.

The next post in this blog is Dear People, Enough With the One-Time Code Tokens.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.