It is now - just a VERY low orbit!

Agreed that changing the control parameters would trigger tripwire, but assuming you have appropriate separation of duties in place the person monitoring tripwire would look at the maint schedule, confirm the change in (in this case rotational velocity) parameters and approve the change. Or note that the parameters are not as per the approved change and scream bloody murder.

Min

Agreed, but that's physical controls, which are required for almost any computing hardware. If you have unfettered physical access to the system the ONLY thing any technical controls are going to do at that point is slow you down (hopefully long enough for the physical controls to catch up). Something like tripwire is the solution for detection of code tampering.

In a perfect world, yes you would be able to keep your SCADA systems up to date with all patches and run the latest OS, The reality is however that even if MS continued to support security patches for XP until the end of time there would be SCADA systems which are unpatched because of __________ (there's ALWAYS some reason). So the compensating controls around code tampering are still required. As are the compensating controls around network access.

Min

This is why most security folks highly recommend SCADA and industrial control systems be put on an isolated network with an air gap. Typically these systems have a limited need to read /. And absent Bruce Schneier deciding to hack your plant, you're pretty safe if you got nothing connecting the SCADA/industrial control system to an external network. Remote maint can be a pain, but these things can be worked around. My suggestion is a firewalled PC running a supported OS and all the latest shots and such that you can set up a g2m on and is only plugged into the SCADA/industrial control system network during maint (which as you rightly point out is infrequent) and has cross card routing disabled.

Again, not proof against Bruce in a bad mood, but mere mortals will find it hard to crack :)

Min

You are welcome to, but if the story I quoted before doesn't convince you feel free to search google news. I would suggest "Gambling site" "Random" and "DoS" as search criteria.

Min

[citation]http://www.cbc.ca/news/technology/story/2006/10/28/online-gambling.html[/citation]

In the case I was involved with it was wired via Western Union to a place in Moscow where (according to the PI we hired) it was picked up by call girls and taken back to the culprits. They did eventually get nailed but it took years due to the complexities of law enforcement in an international environment.

We eventually signed with Prolexic to stop them coming back.

Min

Typically, yes (assuming your OS platform of choice doesn't have some other resource that can be remotely exhausted more cheaply then bandwidth). The problem is one of the standard defender delimas: The attacker needs bandwidth for a short period of time (typically), as their goal is to make you say "Uncle" weather that means paying their ransom, capitulating to some demand or whatever. You as a defender have to incur a cost for your defensive strategy that is either (relatively) low, non-scalable, and continuing (trying to out provision the attacker) or a high cost outsourcing solution. The attacker on the other hand rents 10,000 nodes for 200$/day. Figure that's about 5gigs conservatively (we'll say .5mbit upload as an average per node). Now assuming your data center will handle a sudden 5gig burst without cutting you off (good ones will, cheap ones will just cut you off) your hosting bill just went up by 54TB (5*3600*24/8) per day. That's not going to be sustainable for long.

That's why the outsourcing solution tends to be the way to go if you're being targeted by anyone willing to spend halfway decent money on attacking you. The ROI from the attacker POV looks pretty good. Say they ransom you for 50K (an average number for such things). If they have to keep you under DDOS for even a week till you cave, (378 TB worth of data) that nets them 48600. That's a pretty good business case from their point of view.

It's one of those moments when it sucks to be the good guys.

Min

I used to run infosec for one of the mid-tier online gaming operations run out of the Caribbean. We got extorted by one of these gangs, and ended up paying Prolexic (they were Digidefense at the time) to solve this for us.

As for weather you can risk doing without it depends strongly on what your user tolerance for downtime is and how bursty your revenue stream is. The lower the tolerance and/or the more bursty the revenue stream the more vulnerable you are to these sort of attack methodology, as the opposition pays for the time they are actually attacking you, so if you can weather the attack they'll eventually give it up. If on the other hand they can cost you significant sums of cash by taking you out for 6 hrs (say sports betting, target the opening day games), that increases your susceptibility to these attacks.

Feel free to drop me a line if you have any more questions (my /. listed email will get to me).

Min

I've lived through this (although in my case the twits doing it were holding us for ransom) Prolexic was the solution we went with and I endorse it. The economics of the situation strongly favor outsourcing to a third party. It's a service you'll likely need for a short period of time, provisioning it yourself would entail obtaining equipment and specialized expertise that you would have to commit to over a long period of time. A Prolexic can afford to obtain better equipment, and have specialized staff who can configure it to block the latest attack because they're dealing with it for clients constantly.

Min

Ah yes, I remember reading an EchoMail message from a fellow who watched the Berlin Wall come down.

1:351/1 was my node if memory serves :)

It's amazing what we can take for granted when we cease stopping to think about it. Thanks for reminding me.

Min

There is something between a warrent and hacking. It's called "asking". If facebook recieves a request for information from a fedreal agency, they can choose to comply (I doubt there's anything in the contract you have with them that prohibits it) of their own free will. No warrent required.

The feds might even say "Please".

Min

This one was (fortunately) in an unpopulated area of Russia or it'd have been bad casualty wise. As it stands it's believed to be the largest non-nuclear explosion. Caused by cyber-war/cyber-espionage:

http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage