Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Notacon 7 - SCADA and ICS for Security Experts

1,477 views

Published on

The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories. Suddenly, every consultant is an expert and every product fixes SCADA. And because they don't know what the hell they're talking about -- 'fake it till ya make it' doesn't work -- they're making all of us look stupid.

Attendees will gain a practical level of knowledge sufficient to keep them from appearing foolish should they choose to opine on any of the various real issues stemming from Industrial Control or SCADA systems. Attendees will also feel embarrassed for something they've said, empowered to call out charlatans, and much less worried about cyberhackers unleashing cyberattacks which cybercause cyberpipelines and cybermanufacturing plants to cybergonuts and cybertakeovertheplanet using cybercookiesofdeath.

Published in: Technology, Business
  • Be the first to comment

Notacon 7 - SCADA and ICS for Security Experts

  1. 1. SCADA and ICS for Security Experts: How to Avoid Cyberdouchery James Arlen, CISA Notacon 7 - Cleveland - 2010 1
  2. 2. Disclaimer I am employed in the Infosec industry, but not authorized to speak on behalf of my employer or clients. Everything I say can be blamed on great food, mind-control and jet lag. 2
  3. 3. Credentials 15+ years information security specialist staff operations, consultant, auditor, researcher utilities vertical (grid operations, generation, distribution) financial vertical (banks, trust companies, trading) some hacker related stuff like game show host, etc. 3
  4. 4. 1/ Stop Sounding Stupid 4
  5. 5. Scada got sexy 5
  6. 6. Follow the money 6
  7. 7. Who's an expert now? 7
  8. 8. One time at security camp 8
  9. 9. Gotta get me a piece of that 9
  10. 10. Gotta get me a piece of that 10
  11. 11. 2/ Big Things and Little Things 11
  12. 12. Not all ‘scada’ is SCADA 12
  13. 13. Big things: power grid 13
  14. 14. Big things: pipeline 14
  15. 15. Inter- connected sensors and controls under central 15
  16. 16. Inter- connected sensors and controls under central 16
  17. 17. Supervisory control and data acquisition 17
  18. 18. Little Things: chemical plant, power plant, manufacturi ng facility 18
  19. 19. Little Things: chemical plant, power plant, manufacturi ng facility 19
  20. 20. Little Things: chemical plant, power plant, manufacturi ng facility 20
  21. 21. Little Things: chemical plant, power plant, manufacturi ng facility 21
  22. 22. Little Things: chemical plant, power plant, manufacturi ng facility 22
  23. 23. Little Things: chemical plant, power plant, manufacturi ng facility 23
  24. 24. Lots of individual capabilities with some orchestrati on 24
  25. 25. Programma ble logic controllers 25
  26. 26. Programma ble logic controllers 26
  27. 27. Programma ble logic controllers 27
  28. 28. Industrial control systems/Distributed 28
  29. 29. 3/ Part of a Bigger Picture 29
  30. 30. So if you break the computer, you break everything 30
  31. 31. What happens when Edna falls into the reactant vessel 31
  32. 32. This is the data 32
  33. 33. This is the data 33
  34. 34. This is the process 34
  35. 35. This is the process 35
  36. 36. This is the process 36
  37. 37. I know you can grok the protocol, can you break the controls? 37
  38. 38. I know you can grok the protocol, can you break the controls? 38
  39. 39. Oh, you forgot about safety 39
  40. 40. Oh, you forgot about safety 40
  41. 41. Oh, you forgot about testing 41
  42. 42. Oh, you forgot about testing 42
  43. 43. Oh, you forgot about people 43
  44. 44. Oh, you forgot about people 44
  45. 45. What if it really is SCADA? 45
  46. 46. Stuff breaks 46
  47. 47. All the &*^$ing time 47
  48. 48. And it gets fixed 48
  49. 49. And it gets fixed 49
  50. 50. And you never noticed 50
  51. 51. And you never noticed 51
  52. 52. And you never noticed 52
  53. 53. And you never noticed 53
  54. 54. But... WAIT! What about the Aurora Explosion Demo Awesome 54
  55. 55. 4/ Practical Positive Things 55
  56. 56. You can understan d this stuff 56
  57. 57. You can help 57
  58. 58. They need you 58
  59. 59. You need to suck it up 59
  60. 60. It's time to learn before teaching 60
  61. 61. It's time to learn before teaching 61
  62. 62. 5/ You Wouldn't Believe Me If I Told You 62
  63. 63. The Organizati on is against you 63
  64. 64. Your prima donna attitude is against you 64
  65. 65. Your age is against you 65
  66. 66. It's time to start hacking 66
  67. 67. First you hack the org 67
  68. 68. Then you own their asses 68
  69. 69. Then you own their asses 69
  70. 70. 6/ Movies Would Have You Believe 70
  71. 71. It's a mad mad graphical awesome world 71
  72. 72. It's a mad mad graphical awesome world 72
  73. 73. It's a mad mad graphical awesome world 73
  74. 74. It's a mad mad graphical awesome world 74
  75. 75. It's a mad mad graphical awesome world 75
  76. 76. It's a mad mad graphical awesome world 76
  77. 77. It's a mad mad graphical awesome world 77
  78. 78. What an afternoon at the console really feels like 78
  79. 79. What an afternoon at the console really feels like 79
  80. 80. What an afternoon at the console really feels like 80
  81. 81. 7/ The Media Hypes It As If... 81
  82. 82. 82
  83. 83. CYB CYB CYB CYB ER ER ER ER CYB CYB CYB CYB ER ER ER ER CYB 82
  84. 84. CYB CYB CYB CYB ER ER ER ER CYB CYB CYB CYB ER ER ER ER CYB 82
  85. 85. 82
  86. 86. There's a hacker behind the bush 83
  87. 87. There's a hacker behind the bush 84
  88. 88. There's a hacker behind the bush 85
  89. 89. There's a hacker behind the bush 86
  90. 90. There's a hacker behind the bush 87
  91. 91. A 14yo in Mom's basement 88
  92. 92. A 14yo in Mom's basement 89
  93. 93. A 14yo in Mom's basement 90
  94. 94. L337 cadre of soldiers 91
  95. 95. L337 cadre of supersoldi ers 92
  96. 96. L337 cadre of genetically engineered supersoldi ers 93
  97. 97. Killer Tubes 94
  98. 98. 8/ Bad Shit That Actually Happened 95
  99. 99. Not necessarily public news. 96
  100. 100. 9/ What Could Have Saved It 97
  101. 101. Superheroe s 98
  102. 102. Superheroe s, Ninjas 99
  103. 103. Superheroe s, Ninjas and Pirates 100
  104. 104. Following Instruction s 101
  105. 105. Or, not sucking at implementation 102
  106. 106. Or, doing what you're told 103
  107. 107. Or, stuff that has nothing at all to do with computers 104
  108. 108. 10/ What You Can Do - Little Picture 105
  109. 109. Learn 106
  110. 110. Stop listening to "experts" 107
  111. 111. Modest changes, massive results 108
  112. 112. 11/ What You Can Do - Big Picture 109
  113. 113. Stop feeding the trolls 110
  114. 114. Avoid being ‘that person’ 111
  115. 115. Press for sane acquisition s 112
  116. 116. Study past success 113
  117. 117. Study past success 114
  118. 118. Q&A @myrcurial myrcurial@myrcurial.com 115
  119. 119. Credits, Links and Notices http://myrcurial.com and Me: http://cyberdouchery.com and sometimes http:// liquidmatrix.org/blog All of you, My Family, Friends, Jeff Moss (for demanding this talk) Kaospunk, Froggy, Tyger and the Thanks: Notacon Awesome Team. Mentors/Luminaries: D. Anderson, M. Fabro, J. Brodsky, R. Southworth, M. Sachs, C. Jager, B. Radvanovsky and J. Weiss (all from whom I twitter, fast music, caffeine, my lovely borrowed material) Inspirati wife and hackerish children, blinky on: lights, shiny things, modafinil & altruism. http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ 116

×