Since I returned from the yearly hacking & security mega-conference Defcon (and the less well known, but perhaps more interesting, Bsides Las Vegas) last month, I’ve been asked on several occasions to comment on the various control systems specific talks. The truth is, I only went to one or two. This is because – and I can’t say it emphatically enough – I don’t care what they have to say; not right now, at least.
Why?
Because we’re doing such a poor job of security overall that the specific details of which attack vector are being discussed merely results in small drops into a bucket of problems to which many are still only giving lip service.
Perhaps I’m being a little unfair here, but to quote one individual paid by the “good guys” to write code and break into utility networks:
“The hardest part of my job is adding attributes to my attacks that will allow the defenders to see me. If I don’t go out of my way to let them find me, I never know they’re there and they never know I’m there.”
This is not the exception and Defcon really drove home the difference (again) between a hacker’s perspective and that of many defenders.
Hackers will probe, listen, look, wait, and learn about you. They will know as much about you, your staff, your business, your processes, and your technology as they possibly can and then develop a strategy for breaking in.
Defenders, on the other hand, often lay out their defenses in a pre-arranged manner – following best practices, standards, or regulations – and then sort of “set and forget” them.
This is reminiscent of the highly structured British forces in the American revolution set to fight against the more adaptive guerrilla style learned by the colonists. There is definitely something to be said for mass, but unless you’re looking at your enemies, figuring out their weak spots, and adapting, you’re likely going to lose.
What does this mean? It means that we need to be constantly evaluating our approaches to security in terms of highly skilled, thinking, adaptive adversaries who often know more about us than we do ourselves. This is an active process in which standards, best practices, and regulations are only tools for us to use in creating our own customized, adaptive defenses; tools that cannot, without personal investment from all of our decision makers, be relied upon to keep us safe.
Finally, Defcon reminds us also, when discussing “Information Sharing” amongst ourselves, to keep in mind that our commitment to security is visible to and shared with attackers – and those areas where we lack organizational commitment are those areas from which we will be exploited.
I think you make a number of points which are spot on. This one in particular, “in small drops into a bucket of problems to which many are still only giving lip service.”