BlackHat Europe 2010: SCADA and ICS for Security Experts

2,083 views
2,013 views

Published on

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories.

Suddenly, every consultant is an expert and every product is loudly advertising how it solves SCADA SECURITY AND COMPLIANCY ISSUES!!!

And because they don't know what the hell they're talking about - 'fake it till ya make it' doesn't work - they're making all of us look stupid.

Let's sit down for a little fireside chat and discuss all things SCADA and ICS with an eye towards increasing our knowledge to the point where we can confidently say: "I'm not an expert at everything, I can help some, may we work together on a solution?"

It's time to stop being a Cyber Idiot and start being a positive contributor. Learn some truth, look behind the curtain, bust some FUD, Oh - and make government agents have kittens. That's fun for everyone.

Published in: Technology, Business

BlackHat Europe 2010: SCADA and ICS for Security Experts

  1. 1. SCADA and ICS for Security Experts: How to Avoid Being a Cyber Idiot James Arlen, CISA Black Hat Europe - Barcelona - 2010 1
  2. 2. Disclaimer I am employed in the Infosec industry, but not authorized to speak on behalf of my employer or clients. Everything I say can be blamed on great food, mind-control and jet lag. 2
  3. 3. Credentials 15+ years information security specialist staff operations, consultant, auditor, researcher utilities vertical (grid operations, generation, distribution) financial vertical (banks, trust companies, trading) ...still not an expert at anything. 3
  4. 4. 1/ Stop Sounding Stupid 4
  5. 5. Scada got sexy 5
  6. 6. Follow the money 6
  7. 7. Who's an expert now? 7
  8. 8. One time at security camp 8
  9. 9. Gotta get me a piece of that 9
  10. 10. Gotta get me a piece of that 10
  11. 11. 2/ Big Things and Little Things 11
  12. 12. Not all ‘scada’ is SCADA 12
  13. 13. Big things: power grid 13
  14. 14. Big things: pipeline 14
  15. 15. Inter- connected sensors and controls under central management 15
  16. 16. Inter- connected sensors and controls under central management 16
  17. 17. Supervisory control and data acquisition 17
  18. 18. Little Things: chemical plant, power plant, manufacturing facility 18
  19. 19. Little Things: chemical plant, power plant, manufacturing facility 19
  20. 20. Little Things: chemical plant, power plant, manufacturing facility 20
  21. 21. Little Things: chemical plant, power plant, manufacturing facility 21
  22. 22. Little Things: chemical plant, power plant, manufacturing facility 22
  23. 23. Little Things: chemical plant, power plant, manufacturing facility 23
  24. 24. Lots of individual capabilities with some orchestration 24
  25. 25. Programmable logic controllers 25
  26. 26. Programmable logic controllers 26
  27. 27. Programmable logic controllers 27
  28. 28. Industrial control systems/ Distributed control systems 28
  29. 29. 3/ Part of a Bigger Picture 29
  30. 30. So if you break the computer, you break everything 30
  31. 31. What happens when Edna falls into the reactant vessel 31
  32. 32. This is the data 32
  33. 33. This is the data 33
  34. 34. This is the process 34
  35. 35. This is the process 35
  36. 36. This is the process 36
  37. 37. I know you can grok the protocol, can you break the controls? 37
  38. 38. I know you can grok the protocol, can you break the controls? 38
  39. 39. Oh, you forgot about safety 39
  40. 40. Oh, you forgot about safety 40
  41. 41. Oh, you forgot about testing 41
  42. 42. Oh, you forgot about testing 42
  43. 43. Oh, you forgot about people 43
  44. 44. Oh, you forgot about people 44
  45. 45. What if it really is SCADA? 45
  46. 46. Stuff breaks 46
  47. 47. All the &*^$ing time 47
  48. 48. And it gets fixed 48
  49. 49. And it gets fixed 49
  50. 50. And you never noticed 50
  51. 51. And you never noticed 51
  52. 52. And you never noticed 52
  53. 53. And you never noticed 53
  54. 54. 4/ Practical Positive Things 54
  55. 55. You can understand this stuff 55
  56. 56. You can help 56
  57. 57. They need you 57
  58. 58. You need to suck it up 58
  59. 59. It's time to learn before teaching 59
  60. 60. It's time to learn before teaching 60
  61. 61. 5/ You Wouldn't Believe Me If I Told You 61
  62. 62. The Organization is against you 62
  63. 63. Your prima donna attitude is against you 63
  64. 64. Your age is against you 64
  65. 65. It's time to start hacking 65
  66. 66. First you hack the org 66
  67. 67. Then you own their asses 67
  68. 68. Then you own their asses 68
  69. 69. 6/ Movies Would Have You Believe 69
  70. 70. It's a mad mad graphical awesome world 70
  71. 71. It's a mad mad graphical awesome world 71
  72. 72. It's a mad mad graphical awesome world 72
  73. 73. It's a mad mad graphical awesome world 73
  74. 74. It's a mad mad graphical awesome world 74
  75. 75. It's a mad mad graphical awesome world 75
  76. 76. It's a mad mad graphical awesome world 76
  77. 77. It's a mad mad graphical awesome world 77
  78. 78. It's a mad mad graphical awesome world 78
  79. 79. It's a mad mad graphical awesome world 79
  80. 80. What an afternoon at the console really feels like 80
  81. 81. What an afternoon at the console really feels like 81
  82. 82. What an afternoon at the console really feels like 82
  83. 83. 7/ The Media Hypes It As If... 83
  84. 84. There's a hacker behind the bush 84
  85. 85. There's a hacker behind the bush 85
  86. 86. There's a hacker behind the bush 86
  87. 87. There's a hacker behind the bush 87
  88. 88. There's a hacker behind the bush 88
  89. 89. A 14yo in Mom's basement 89
  90. 90. A 14yo in Mom's basement 90
  91. 91. A 14yo in Mom's basement 91
  92. 92. L337 cadre of genetically engineered supersoldiers 92
  93. 93. L337 cadre of genetically engineered supersoldiers 93
  94. 94. L337 cadre of genetically engineered supersoldiers 94
  95. 95. Killer Tubes 95
  96. 96. 8/ Bad Shit That Actually Happened 96
  97. 97. Not necessarily public news. 97
  98. 98. 9/ What Could Have Saved It 98
  99. 99. Superheroes, Ninjas and Pirates 99
  100. 100. Superheroes, Ninjas and Pirates 100
  101. 101. Superheroes, Ninjas and Pirates 101
  102. 102. Following Instructions 102
  103. 103. Or, not sucking at implementation 103
  104. 104. Or, doing what you're told 104
  105. 105. Or, stuff that has nothing at all to do with computers 105
  106. 106. 10/ What You Can Do - Little Picture 106
  107. 107. Learn 107
  108. 108. Stop listening to "experts" 108
  109. 109. Modest changes, massive results 109
  110. 110. 11/ What You Can Do - Big Picture 110
  111. 111. Stop feeding the trolls 111
  112. 112. Avoid being ‘that person’ 112
  113. 113. Press for sane acquisitions 113
  114. 114. Study past success 114
  115. 115. Study past success 115
  116. 116. Q & A @myrcurial james.arlen@pushthestack.com 116
  117. 117. Credits, Links and Notices http://jamesarlen.net and Me: http://www.linkedin.com/in/jamesarlen and sometimes http://liquidmatrix.org/blog All of you, My Family, Friends, Jeff Moss (for demanding this talk) and the rest of the Black Hat Europe Team. Thanks: Mentors/Luminaries: D. Anderson, M. Fabro, J. Brodsky, R. Southworth, M. Sachs, C. Jager, B. Radvanovsky and J. Weiss (all from whom I borrowed material) twitter, fast music, caffeine, my lovely wife Inspiration: and hackerish children, blinky lights, shiny things, & altruism. http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ 117

×