Water Utility SCADA 'Attack': The, um, washout
Not an attack: an already failing pump, and an employee of a contractor to the utility who was ... wait for it ... traveling in Russia on personal business. WaPo via Lauren @ Privacy: http://j.mp/rrvMXR Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Nov 26, 2011, at 10:14 AM, Jay Ashworth wrote:
traveling in Russia on personal business.
I've noticed that in general, when there isn't an actual attack taking place, but rather some kind of misconfiguration or other issue, there's all too often a tendency to run around shouting about the 133t h4x0rs; and when there's really an attack taking place, it's the last thing to be considered, if ever, heh. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
My comment about a certain person leaking public-private sector correspondence to the media still applies then. https://plus.google.com/114359738470992181937/posts/DSnJfKqrJK1 Andrew ________________________________ From: Jay Ashworth <jra@baylink.com> To: NANOG <nanog@nanog.org> Sent: Saturday, November 26, 2011 3:14 AM Subject: Water Utility SCADA 'Attack': The, um, washout Not an attack: an already failing pump, and an employee of a contractor to the utility who was ... wait for it ... traveling in Russia on personal business. WaPo via Lauren @ Privacy: http://j.mp/rrvMXR Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
+1 This isn't the pentagon papers. Those found leaking should face the legal consequences for sbu information leakage. One can't have every email/memo leaked as it makes it unfeasible to perform ones job. Jared Mauch On Nov 26, 2011, at 7:51 AM, "andrew.wallace" <andrew.wallace@rocketmail.com> wrote:
My comment about a certain person leaking public-private sector correspondence to the media still applies then.
https://plus.google.com/114359738470992181937/posts/DSnJfKqrJK1
Andrew
________________________________ From: Jay Ashworth <jra@baylink.com> To: NANOG <nanog@nanog.org> Sent: Saturday, November 26, 2011 3:14 AM Subject: Water Utility SCADA 'Attack': The, um, washout
Not an attack: an already failing pump, and an employee of a contractor to the utility who was ... wait for it ...
traveling in Russia on personal business.
WaPo via Lauren @ Privacy: http://j.mp/rrvMXR
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres. Andrew ________________________________ From: Jared Mauch <jared@puck.nether.net> To: andrew.wallace <andrew.wallace@rocketmail.com> Cc: Jay Ashworth <jra@baylink.com>; "nanog@nanog.org" <nanog@nanog.org> Sent: Saturday, November 26, 2011 8:14 PM Subject: Re: Water Utility SCADA 'Attack': The, um, washout +1 This isn't the pentagon papers. Those found leaking should face the legal consequences for sbu information leakage. One can't have every email/memo leaked as it makes it unfeasible to perform ones job. Jared Mauch On Nov 26, 2011, at 7:51 AM, "andrew.wallace" <andrew.wallace@rocketmail.com> wrote:
My comment about a certain person leaking public-private sector correspondence to the media still applies then.
https://plus.google.com/114359738470992181937/posts/DSnJfKqrJK1
Andrew
________________________________ From: Jay Ashworth <jra@baylink.com> To: NANOG <nanog@nanog.org> Sent: Saturday, November 26, 2011 3:14 AM Subject: Water Utility SCADA 'Attack': The, um, washout
Not an attack: an already failing pump, and an employee of a contractor to the utility who was ... wait for it ...
traveling in Russia on personal business.
WaPo via Lauren @ Privacy: http://j.mp/rrvMXR
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
On Nov 26, 2011, at 5:18 PM, andrew.wallace wrote:
These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.
It already exists :) People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards... - Jared
I expect to see Joe Bloggs arrested next week then, it won't happen though. Andrew ________________________________ From: Jared Mauch <jared@puck.nether.net> To: andrew.wallace <andrew.wallace@rocketmail.com> Cc: "nanog@nanog.org" <nanog@nanog.org> Sent: Saturday, November 26, 2011 10:38 PM Subject: Re: Water Utility SCADA 'Attack': The, um, washout On Nov 26, 2011, at 5:18 PM, andrew.wallace wrote:
These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.
It already exists :) People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards... - Jared
On Sat, 26 Nov 2011 17:38:55 EST, Jared Mauch said:
I suggest new secrecy legislation, for fusion centres.
It already exists :)
People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards...
Actually, it's *not* that simple - it's complicated enough that a quick knee-jerk "There should be a law against it" reaction is probably a bad idea. (In fact, I'll go out on a limb and say that one-sentence "there should be a law agains it" reactios are almost always a bad idea). After all, fusion centers were originally created because too many agencies had laws and regulations banning the sharing of information. We saw a decade ago just how well *that* worked out for us. So it's not at all clear that "new" laws making things *more* classified are a good idea in this case. Nor is it obvious how to code useful laws to prohibit the dissemination of data from a group set up for the express purpose of mining data and disseminating the results. Sure you can tighten things down, but if a fusion center can't release something quickly, it's not a lot of use, is it? (We've more than once gotten stuff from various TLA's stamped with a default "No Foreign Nationals" that ended up being totally unusable because we've got foreign nationals all over the place, and had to wait for a second copy that had gotten kicked down to "FOUO" so we could use it - loads of fun) So the last thing we need is people who don't even know what laws already exist calling for the creation of *new* laws. And quite frankly, which way do you want these things to fail? Do you want an early alert that says "evil packets may be coming in from Russia", or do you want it to wait till they've verified it's a contractor's employee ssh'ing in while on vacation? Sure, a few people have some egg on their faces and now have a really good bar story. But let's keep in mind that it took several days to sort this one out - coincidentally, just about the same number of day that it took Sony to come out and say that PSN got whacked. You really can't have it both ways. Which do you want, false positives or false negatives?
I would actually carry this to another level, and say this "leak" could be considered evidence that the fusion centers are working quite well. The fact is that a fusion center, in this case, enabled the community to: 1)respond to an event (together); 2)know where to contribute any coordinating information, now or in the future; 3)be on the lookout for similar events; 4)raise awareness about a perceived problem that doesn't seem to be getting better; 5)perceive a measure of transparency in the operation and utility of these fusion centers.
From where I stand this disclosure being dubbed a "leak" is improper. Perhaps it was a leak, perhaps it was an intentional disclosure. Either way, it showed that fusion centers are working to escalate the attention given to potentially serious issues, with a defined benefit to the community they serve, while operating with an appropriate degree of cooperation between TLAs. And while there was media FUD early on, the final output was clear, concise, and non-speculative.
On Sat, Nov 26, 2011 at 7:40 PM, <Valdis.Kletnieks@vt.edu> wrote:
On Sat, 26 Nov 2011 17:38:55 EST, Jared Mauch said:
I suggest new secrecy legislation, for fusion centres.
It already exists :)
People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards...
Actually, it's *not* that simple - it's complicated enough that a quick knee-jerk "There should be a law against it" reaction is probably a bad idea. (In fact, I'll go out on a limb and say that one-sentence "there should be a law agains it" reactios are almost always a bad idea).
After all, fusion centers were originally created because too many agencies had laws and regulations banning the sharing of information. We saw a decade ago just how well *that* worked out for us. So it's not at all clear that "new" laws making things *more* classified are a good idea in this case. Nor is it obvious how to code useful laws to prohibit the dissemination of data from a group set up for the express purpose of mining data and disseminating the results. Sure you can tighten things down, but if a fusion center can't release something quickly, it's not a lot of use, is it?
(We've more than once gotten stuff from various TLA's stamped with a default "No Foreign Nationals" that ended up being totally unusable because we've got foreign nationals all over the place, and had to wait for a second copy that had gotten kicked down to "FOUO" so we could use it - loads of fun)
So the last thing we need is people who don't even know what laws already exist calling for the creation of *new* laws.
And quite frankly, which way do you want these things to fail? Do you want an early alert that says "evil packets may be coming in from Russia", or do you want it to wait till they've verified it's a contractor's employee ssh'ing in while on vacation? Sure, a few people have some egg on their faces and now have a really good bar story. But let's keep in mind that it took several days to sort this one out - coincidentally, just about the same number of day that it took Sony to come out and say that PSN got whacked.
You really can't have it both ways. Which do you want, false positives or false negatives?
-- Kyle Creyts Information Assurance Professional BSidesDetroit Organizer
"andrew.wallace" <andrew.wallace@rocketmail.com> writes:
These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.
Making it harder to share information on incidents and vulnerabilities is not the best of ideas. Over the last ten years I have seen much, much, MUCH more damage resulting from information *not* being shared than from information being improperly shared. -- Leif Nixon - Security officer National Supercomputer Centre - Swedish National Infrastructure for Computing Nordic Data Grid Facility - European Grid Infrastructure
On Nov 28, 2011, at 1:43 AM, Leif Nixon wrote:
"andrew.wallace" <andrew.wallace@rocketmail.com> writes:
These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.
Making it harder to share information on incidents and vulnerabilities is not the best of ideas.
Over the last ten years I have seen much, much, MUCH more damage resulting from information *not* being shared than from information being improperly shared.
-- Leif Nixon - Security officer National Supercomputer Centre - Swedish National Infrastructure for Computing Nordic Data Grid Facility - European Grid Infrastructure
Generally, I agree with you, but, FUD is not information. Spreading FUD (as is the case in this incident more than information) is more harmful than good. Making it harder to spread misinformation and FUD is good. Making it harder to share information is bad. Information is the anti-FUD. Owen
On Nov 28, 2011, at 5:31 PM, Owen DeLong wrote:
Making it harder to spread misinformation and FUD is good. Making it harder to share information is bad.
Unfortunately, it's often quite difficult to distinguish between the two when formulating policies, regulations, legislation, and so forth. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde
On Nov 28, 2011, at 2:40 AM, Dobbins, Roland wrote:
On Nov 28, 2011, at 5:31 PM, Owen DeLong wrote:
Making it harder to spread misinformation and FUD is good. Making it harder to share information is bad.
Unfortunately, it's often quite difficult to distinguish between the two when formulating policies, regulations, legislation, and so forth.
That might be because FUD is usually the main ingredient in policies, regulations, legislation, etc. for the last 2 decades at least. Politicians seem to be addicted to FUD like a baby born on crystal meth. At least in the US. Owen
Subject: Re: Water Utility SCADA 'Attack': The, um, washout Date: Sat, Nov 26, 2011 at 03:14:47PM -0500 Quoting Jared Mauch (jared@puck.nether.net):
+1
This isn't the pentagon papers.
Those found leaking should face the legal consequences for sbu information leakage.
One can't have every email/memo leaked as it makes it unfeasible to perform ones job.
Your work email inbox is public record in Sweden, if you are a public employee. If you want something secret, you'll have to work hard for it to be so. Same goes for any file that is not a work-in-progress. (Official notes from a meeting for instance.) It works. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Th' MIND is the Pizza Palace of th' SOUL
There is already a law on the books called Protected Critical Infrastructure Information (PCII). It has stiff penalties for leaking the information. The reporting critical infrastructure company has to request the information or report be protected under PCII. In most cases the companies also use their own NDA as well for added recourse if the info gets leaked. Also the fusion center or DHS could of offered this option up since most companies do not know this option/law is on the books. For a State Fusion center to leverage this law they have to get a delegation from DHS or at a minimum bring the executive agent in to declare the info PCII since it's a federal law. The PCII designator works and has been used in past incidents. Sensitive but unclassified does not work and has widely varying meanings from agency to agency. If it's that sensitive use PCII or classify as SECRET. Regarding this incident, I was skeptical from the get go. The fog of war around any incident is usually pretty thick at the initial stage. This has been shown even in national level cyber exercises time and time again. FBI/USSS/US-CERT are routinely engaged and investigating cyber incidents and nothing new here. People acted as if that was outside the norm when it was not. Jerry Jerry@jdixon.com On Nov 26, 2011, at 3:14 PM, Jared Mauch <jared@puck.nether.net> wrote:
+1
This isn't the pentagon papers.
Those found leaking should face the legal consequences for sbu information leakage.
One can't have every email/memo leaked as it makes it unfeasible to perform ones job.
Jared Mauch
On Nov 26, 2011, at 7:51 AM, "andrew.wallace" <andrew.wallace@rocketmail.com> wrote:
My comment about a certain person leaking public-private sector correspondence to the media still applies then.
https://plus.google.com/114359738470992181937/posts/DSnJfKqrJK1
Andrew
________________________________ From: Jay Ashworth <jra@baylink.com> To: NANOG <nanog@nanog.org> Sent: Saturday, November 26, 2011 3:14 AM Subject: Water Utility SCADA 'Attack': The, um, washout
Not an attack: an already failing pump, and an employee of a contractor to the utility who was ... wait for it ...
traveling in Russia on personal business.
WaPo via Lauren @ Privacy: http://j.mp/rrvMXR
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274
participants (10)
-
andrew.wallace
-
Dobbins, Roland
-
Jared Mauch
-
Jay Ashworth
-
Jerry Dixon
-
Kyle Creyts
-
Leif Nixon
-
Måns Nilsson
-
Owen DeLong
-
Valdis.Kletnieks@vt.edu