There are times for finesse and then there are times for blunt force. Determining which is which is often the defining characteristic of success in any endeavor. The ongoing efforts to address cybersecurity risks and threats to industrial systems have for many years been a period where finesse and patience rule as we slowly accrete the requisite components from which a solution can be constructed. The time has come, however, to swing some hammers.
Crosposted from the ICS-ISAC Blog
(Crossposted from Infosec Island)
As we wrestle through our critical infrastructure cybersecurity conundrum we talk a lot about Big Electricity, Big Oil and other Big Asset Owners.
Certainly these asset owners play a crucial part in providing the services of modern society, and keeping them secure is very important. However, these asset owners are not all – or even most – of the problem.
In the US Electric Sector, for example, there are around 3,200 utilities keeping the lights on. Less than 1% of these would be considered Big Electric companies. Drinking and waste water is supplied by over 50,000 US utilities, almost none of which are large operations. Manufacturing, Transportation, Chemical and other sectors are similarly bottom-heavy in terms of demographics.
Obviously, achieving reliable security in large facilities – and none at small ones – only moves us so far towards securing the nation.
This April I met an energetic young man named Dillon Beresford. He told me that he had gotten some SCADA gear and setup a lab in his apartment and discovered a raft of vulnerabilities that he would be presenting shortly at TakeDownCon.
The most interesting aspect of the meeting was that it was essentially entirely random – I wasn’t anyplace I would have expected to meet the next rock star of industrial security.
Crossposted from InfoSec Island