Wednesday, July 9, 2014

Don't worry about the security of critical infrastructure

We have Top Men working on it:
The U.S. Department of Homeland Security (DHS) has mistakenly released hundreds of documents, some of which contain sensitive information and potentially vulnerable critical infrastructure points across the United States, in response to a recent Freedom of Information Act (FOIA) request about a cyber-security attack.
The Operation Aurora attack was publicized in 2010 and impacted Google and a number of other high-profile companies. However, DHS responded to the request by releasing more than 800 pages of documents related to the 'Aurora' experiment conducted several years ago at the Idaho National Laboratory, where researchers demonstrated a way to damage a generator via a cyber-attack.
Top. Men.  I'm sure that the people who will run your family's health care will fully live up to this level of competence. Oh, and I love this:
The North American Electric Reliability Corporation (NERC) did not respond to a request for comment today by SecurityWeek.
Yeah, I'll bet.  So what's the big deal about Operation Aurora?  It's what didn't happen:
It’s been seven years since that turbine shook and the smoke came out, yet I always thought Aurora was a lost opportunity.

The real beauty of the Aurora demonstration was it clearly showed that a cyber attack could affect a physical process. The specific vulnerability they chose to achieve this, while not unimportant, was not the main point to take from Aurora. It was an effective and dramatic demonstration.

Aurora should have led a massive DHS and US Government push to address the insecure by design ICS that run the critical infrastructure. Instead of taking this and leading a massive PR and bully pulpit campaign building off of this expensive but effective demonstration, people lost their jobs because the video and secret got out.
Yup - H4X0rz can let the magic smoke out of the generator, and the Brass puts everyone on double secret probation.  Good thing this information would never get out.  Oh, wait ...

Pretty cool how the machine shakes from one end to the other, and then it's quite an impressive release of Magic Smoke.  I'm sure that will buff out ...

In related news, a photograph from the DHS' Cyber Security executive management meeting was also released.

Bootnote: This is actually a great demonstration of why it makes no difference which political party wins the election.  This took place under George W. Bush, and the nothing that resulted has continued under Obama. Top. Men.


B said...

The generator shown ISN'T a turbine, but rather a V-16 (probably diesel) generator.

Dave H said...

Reminds me of an editorial cartoon I saw shortly after the Chernobyl disaster. In the far background there's a building missing a wall and part of the roof, with a cloud rising from the gap. A label overhead says "No Containment." In the foreground stand three men in suits and the middle one is saying, "Everything just ducky. Now go away." Above them is a label that says "Containment."

Matt W said...

Although this is an inexcusable mistake made by DHS employees, I don't see anything in the report that isn't already general knowledge to anyone working in (or "researching" on) critical infrastructure.

I'm not aware of anyone with knowledge of security that believes SCADA and ICS is anything but a sitting duck.

kx59 said...

Reminds me, I need to refill the hurricane gas cans.