September 23, 2010

Giving Obama the BRS

Not a good thing (BRS = Big Red Switch) From Reuters:
EXCLUSIVE-Cyber bill would give U.S. emergency powers
Proposed cybersecurity legislation circulating on Capitol Hill would give the president the power to declare an emergency in the case of big online attacks and force some businesses to beef up their cyber defenses and submit to scrutiny.

The draft bill, a copy of which was obtained by Reuters, allows the president to declare an emergency if there is an imminent threat to the U.S. electrical grid or other critical infrastructure such as the water supply or financial network because of a cyber attack.

Industries, companies or portions of companies could be temporarily shut down, or be required to take other steps to address threats.

The emergency declaration would last for 30 days, unless the president renews it. It cannot last more than 90 days without action from Congress.

The draft is a combination of two cybersecurity bills which were merged into one at the urging of Senate Majority Leader Harry Reid. "It (the draft bill) is something that we hope to be able to pass before the end of the year, if we can," Reid spokeswoman Regan Lachapelle told Reuters.
Emphasis mine -- this sounds like a much belated reaction to the whole SCADA Scare. Back in 2007, Kelly Jackson Higgins wrote an excellent overview of the problem at Dark Reading:
SCADA State of Denial
Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities -- and hackers.

Some of these risks -- and bugs -- are unique to their environments, which historically weren't secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does. These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.

Researchers recently disclosed new vulnerabilities in the OLE for Process Control (OPC) protocols, open source interfaces for process-control apps. And meanwhile, some security vendors are forging partnerships to beef up their security offerings for the SCADA market.

With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher. Trouble is, these companies aren't necessarily approaching security properly, security experts say.

"It's an industry in denial," says Robert Graham, CEO of Errata Security. "They don't believe they have the security problems they have. It's not a technical issue, but a political issue."

One of the biggest missing links is authentication: Many don't even bother using authentication because they consider their systems closed and therefore safe, he says. "They put in Windows with no intention of ever patching it, and then they are surprised when they get hit by a worm," Graham says. Or they avoid patching and vulnerability testing because these processes pose risks of their own for SCADA systems -- introducing other bugs to their highly sensitive and uptime-demanding systems, for instance. And rebooting isn't an attractive option for these systems that absolutely must be available, either.

Many of these companies assess risk based on past experience with major security events. "They are managed by a Pearl Harbor-type mentality," Graham says. "Until there's a Pearl Harbor, there is no risk as far as they are concerned."
There are some current-day attacks that target SCADA systems - Stuxnet comes to mind but if you keep your system isolated from the network, forbid the use of thumb drives/optical media/etc... and have the single-point-of-contact in your IT department handle all system and software upgrades, you will be fine. 99% of all successful attacks result from stupid corporate culture, clueless users and bad systems administration. Practice safe HEX and you will be fine... Posted by DaveH at September 23, 2010 7:59 PM
Comments
Post a comment









Remember personal info?