On Saturday Jake Brodsky (a frequent commenter, an ICS
manager, and a person with his fingers in lots of ICS security projects) left
a comment on my blog post on the ICS-CERT
Nordex Alert. Jake used my mention of the missed SHODAN angle for the
vulnerability discovery as a spring board to mention Project Shine that he and
Bob Radvanovsky have been working on. I’m glad he did because I have only
mentioned this project in passing.
Project Shine (SHodan INtelligence Extraction) is an ongoing
project that uses the SHODAN search engine to identify industrial control
systems that are facing the internet. To date they have found well over
1,000,000 systems (that number was bandied about back in the middle of
September and they are adding a couple of thousand new systems every week) that
look like control systems.
Now this includes building environmental control system,
security systems and the like, but there are enough industrial control systems
involved to kill the idea that these systems are not connected to the internet.
This point is emphatically made by Eric Byres in his blog
post.
Now I am not going to get involved in a technical discussion
of how these two are using SHODAN to discover potential ICS systems facing the
internet. Dale
Peterson’s podcast conversation with Bob does that well enough. But I do
want to talk about some interesting implications that Bob and Jake have not
talked about.
First off, you have to understand that Project Shine is not
a professional job (though both Bob and Jake are certainly professionals). As I
understand it it is being run out of the basement laboratory in Bob’s home. I
don’t suspect that Bob’s basement is really very normal, but this is a project
running on a private system with limited resources. Think of a super geeks
version of Gibb’s basement boat building; professionally, even painstakingly,
done in the spare time of a very busy team.
So what would a Project Shine executed by a professional
organization with extensive time, resources and expertise (say the NSA? Or its
Russian or Chinese or Israeli counterparts) look like? Well it wouldn’t use a limited
search engine like SHODAN. It would custom design a program using high-speed
computational assets that geeks like Bob and Jake can only dream about. They
would have a team of engineers and analysts working the project around the
clock. And they would not be afraid to reach out and gently touch the systems
so that they could determine exactly where and what they were.
Why would they do that? Let’s face it; if you want to be
able to conduct cyber-war (and you have to because the other guy is) then you
have to understand the battlefield and you have to have a target list.
Remember, since WWII modern warfare has not been about destroying the other guy’s
military (those are hard targets), it has been about destroying his will and
ability to conduct war. You do that by targeting his critical infrastructure.
And if you are really smart, you might consider weakening his CI well before
you go to war.
If you don’t think that this is happening right now, then
you haven’t been paying attention to the news. Now does this put cybersecurity
for control systems into a different perspective? For most people (and
certainly for politicians) probably not; if nothing has happened, then nothing
will happen.
Except when it does happen, the Washington political
establishment will make Chicken Little look like an over-sedated octogenarian.
Just look at what happened when two buildings were destroyed and a couple of
thousand people killed. What happens when we are really attacked?
Posts
No comments:
Post a Comment