« Regulating the "New York Times Algorithm" | Main | An Orgy of Free Stuff and Commons Creativity! »

Jul 18, 2010


You do not need a memory stick to infect a SCADA desktop computer. That is usually a catalogue Dell or HP device under the control of the toxic Microsoft Operating Systems as well as the Microsoft browser.

SCADA operators will invariably include inside these computers a variety of personal software, such as social media (Facebook, etc.). Operators do that to to pass the time of the day with something entertaining during the long dull hours sitting in network control centers with little to do, since most of the corrective actions in a network have been automated.

The discussion about cyber attacks on SCADA should include a realistic review of what is actually used in the operating environment and what safeguards have been installed to prevent the non-SCADA software infecting SCADA operations.

Most importantly, the human factor should be considered. Research reveals that human errors of omission or commission account for most snafus. With ten thousands of probes per hour, one flaw will surely get through and sit in the software root until "kissed" to wake up and cause mischief.

Although I have a long history of disagreeing with Stewart Baker on privacy, my take on this particular incident (see http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-16.html) is more or less identical. (My comments on the Clarke/Knake book, which I can summarize as "the book is useful but flawed", are at http://www.cs.columbia.edu/~smb/blog/2010-07/2010-07-13.html)

Thanks, Steve. After reading your review of Clarke/Knake, I await with trepidation your judgment on the technical aspects of chapter 9.

Sounds like maybe we should all invest in wood stoves, just in case...

Not in Virginia, though.


I have less confidence today than I did when the NSTAC and PCCIP reviews
were being done that we can shrug off attacks by even 2nd tier nations and state sponsored groups today. When I first brought likely nation state and state sponsored activities to the attention of senior policy makers and managers, they were sure that we were misinterpreting the data and/or that "we should be ok anyway." I have more hope that the effort and investment that we have all made especially since 9/11 will begin to turn the tide in favor of infrastructure owner/operators and those that depend upon them for services.

Having had to drive a successful enterprise recovery effort after a devastating physical attack and overlapping cyberattacks, and having helped others since then, I feel qualified to jump in here. It is my belief that we will soon need everyone of the proposed and recent new security/mission assurance hires and then some along with new operations models. I educated and trained some of these folks, managed others, and I have great hope as a result that they will slowly fix things that really matter.

I expect that some of the current Federal initiatives will produce more than just indiscriminately checked boxes on long checklists/spreadsheets/webforms. I figure that in another 5-10 years we will be materially more secure than when we first began addressing these issues.

Thanks for writing to the book and sharing some sections freely.


The comments to this entry are closed.