We Need to Talk About Getting Smacked in the Face Over TCP
I admit it.
I tweeted out the article about the Illinois water plant, and the one about the South Houston plant the same day. I didn't tweet them because I thought the sky was falling, or that hacking into a single water plant was an act of war.
I tweeted it, because there are strange things going on in the ether, especially in the realms where the real world can be influenced. One such nexus is the one where computer systems interface with and control our physical world.
People know somewhere in the back of their minds that computer systems control processes and yet they don't even think of the what that actually means. Even in the computer security industry people use terms like SCADA, smart-grid, and computer automation all the time without really understanding what they truly mean.
So when there is another water utility plant hacked, or an exploit for a Seimens PLC announced, there are generally two reactions. The first general reaction results in the "the sky is falling" articles. These are generally written by non-technical people who are "shocked" that computers actually run things like water plants and Airbuses and rightly or wrongly convey their shock to whomever will listen.
Of course the second type of reaction is that of the jaded computer security professionals who know the vulnerability of computer systems in general and are far too busy hunting down malware and bank hijacking software to even consider a water plant as anything more than an inconvenience.
I'm writing this article to suggest that those who over-react, in either direction, are doing a disservice to everyone. Why?
Because those who see concerted nation-state cyber attacks in every compromised system are like the little boy who cried "Stuxnet" whenever a control system is hacked and those who poo-poo the vulnerabilities that come to light as if there is nothing to worry about are like the little pig who built his house of straw and said "I'm safe."
So let's look at the facts without the hyperbole, shall we.
Since, the Internet was invented, people have wanted to punch other people in the face over TCP. Or in less juvenile vernacular, we have always wanted to be able to influence the real world (kinetics) via the Internet (cyber). To do this, we have to find a nexus between the kinetic and cyber and the world of SCADA and computer control and automation fit the bill nicely.
Yes, we can reach across thousands of miles at the speed of light and turn a light switch on or off. We can burn up water pumps, release tons of chlorine or other hazardous chemicals, or even bring down portions of the power grid.
The possibilities are endless, because computer systems control just about everything, including centrifuges that are used to enrich uranium and nuclear reactors that consume it.
And if we, as security professionals, cannot talk about all of the scenarios including mundane attacks such as the Maroochy, Illinois or South Houston water plants in a rational, way then we will have failed our profession and those who rely upon computer security and computer systems to provide their drinking water, or to run their nuclear plants.
Forget attribution, attribution is the topic of a whole other article.
It doesn't matter WHO is messing with the pumps, or the centrifuges, or the electrical generators, what matters right now is that we are vulnerable, and we need to figure out how to mitigate those vulnerabilities before we find out that the single water plant that we found compromised was only one of 2,000 that were "pwned" and that the destruction of all of those pumps means that they are out of stock and thousands of people will go without drinking water for weeks.
The threat is real but it's not the end of the world, yet. Let's open the dialog and figure out how to keep from getting hit in the face over TCP ;) without casting aspersions because hacked water plants aren't "sexy" enough or using hyperbole and declaring a global cyberwar because someone used a Russian VPN.