Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

STUXPOCALYPSE! HIDE YOUR WOMEN AND CHILDREN!

with 2 comments

“Last year, after Stuxnet was identified as a weapon, we recommended to every asset owner in America – owners of power plants, chemical plants, refineries and others – to make it a top priority to protect their systems… That wakeup call lasted only about a week. Thereafter, everybody fell back into coma,” Langner told The Christian Science Monitor in a recent interview.

Ralphy, Ralphy, Ralphy, could it be that your company needs more attention? You personally perhaps? This crying “stuxpocalypse” thing is getting a little out of hand and seems rather low rent, well, wait a minute… Looking at that swank faux leopard pillow you have there, maybe this is your style.. Ok, back on topic.. Where was I?

Oh yes..

Ralph, sure, there are many systems out there running PLC’s and yes, they are likely vulnerable to any number of attacks. However, can you please look back and see how long it actually took persons unknown *cough* USA/UK/Israel *cough* to create the Stuxnet attack and breathe a little before you go crying to the likes of the Monitor? I’m sorry, but you are just making yourself look really.. Well.. Needy.

From the quotable “Langer” vol 2 :

“Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.

The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.

“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.

“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”

“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”

Lets look at the facts shall we?

“Funny thing is, all these control systems, if compromised, could lead to mass casualties, but we still don’t have any significant level of cybersecurity for them,” Langner said.

FACT CHECK: ALL the control systems? Really Ralph, that is not going to happen… You smell the hype here folks? MASS CASUALTIES! FUD FUD FUD I’m sorry, no Ralph, sure, if the system were taken down (say power) there would be, the old and infirm would be the first to go, but a wholesale “fire sale” is not going to happen. It’s really the stuff of movies.. Say, you been watching Die Hard recently?

The most dangerous development is that DHS and asset owners completely failed to identify and address the threat of copycat attacks…. With every day [that] cyber weapon technology proliferates, the understanding of how Stuxnet works spreads more and more. All the vulnerabilities exploited on the [industrial control system] level and [programmable logic controller] level are still there. Nobody cares,” Langer stated.

FACT CHECK: Say Ralph, I seem to remember there being a whole cyber security initiative by the Obama admin that seems to me, covers this area. Though, yeah I would love to see an expedited process, people are looking at this AND knew about these types of attacks WAY before Stuxnet showed up! I mean, how do you think they got the idea in the first place to create such a vector of attack huh? I might also suggest that all of the people who you might be asking about this may not want to talk to you in the first place. It would be like me walking into your house as a stranger and asking “So, what’s your wife’s favourite position in bed?”

“Most engineers are aware of the problem, it’s just that they don’t get the budget to fix the problem. The risk is just discounted. As long as management doesn’t see an immediate threat, there is a tendency to ignore it because it costs money to fix,” Langner explained.

FACT CHECK: Uh yeah.. No.. After what happened in Iran, we are not likely to just avoid the issue altogether.. Once again, I point to the previous statement (wife –> sex –> positions) Rare are the vendors or the end users that are going to divulge the problems they have because they are afraid of compromise, no matter how hard it may be to carry out.

“I couldn’t stand it any longer. We wasted a full year because nobody was listening. We published last September that parts of Stuxnet could be copied and that such a weapon would require zero insider knowledge. Nobody listened.”

FACT CHECK: Well more of a comment really //BEGIN SNARK/SAVE US RALPH! SAVE US!//END SNARK/ people listened.. though, not necessarily to you… Trust me.

“I’m afraid cyber-arms control won’t be possible… It will be costly to fix the vulnerabilities in industrial-control systems. But it will be definitely more costly if we wait until organized crime, terrorists, or nation states make their move first.”

FACT CHECK: Gee Ralph, how about you forget the SCADA systems out there that now have attention and think about everything else out there online. Like, say, every frikkin Windows XP instance still out on the Internet and within private networks that are not patched? How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t (crosses fingers) Well, they aren’t “supposed” to be. Or did you miss that salient fact that it took a concerted effort to get the Stuxnet into the Iranian facility in the first place because they were NOT connected to the internet as readily as other places?

Ya know.. It’s called HUMINT. We needed someone to plant that USB or place it physically in a box on site. See Ralph, its not just some magic incantation and suddenly you’re infected.

Need I also remind you of the 4 0days used?

Yeah..

So please Ralph, get off the Stuxnet nipple.. We know about it.. We just aren’t talking to YOU about re-mediations.

 

About these ads

Written by Krypt3ia

2011/09/23 at 19:16

Posted in FUD, STUXNET

2 Responses

Subscribe to comments with RSS.

  1. My reply was posted on Infosec Island but as it was cross posted I thought I’d place it here as well.

    I think a lot of your “fact check” opinions are misleading at best. I have a lot of respect for your interest and now finding Kryp3ia (just found it today) I will be reading it as I think there is a lot of interesting information.

    The point remains though, Mr. Langner is “sounding the alarm” because most people aren’t listening. McAfee and the Center for Strategic and International Studies found in 2010 that only 35% of critical infrastructure owners checked their systems for Stuxnet; of those 40% were infected.

    There is a certain level of complacency in the ICS community in regards to cyber security whether it be focused on Stuxnet or not. There are many who are well prepared/invested/and trained to mitigate threats but there simply aren’t enough. The roots of the community are focused in providing availability, not security. “Keep the water pumping. Keep the lights on. Keep the power going, at all costs.”

    Also, I feel your critique on Mr. Langner’s comment about copy-cat attacks fails to recognize the real point. While some people in the world may have recognized the threat as you put it, most people including asset owners did not. These are the people that we have to convince to check their systems, protect them, and be ready for copy-cat like attacks from Stuxnet, Conficker, Slammerworm, etc. It’s not that Stuxnet is so unique in its ability to cause trouble in ICSs but it’s unique in how targeted it was towards PLCs and ICSs.

    We weren’t ready for the things of the past let alone future cyber weapons. The truth is the money isn’t there and “security” is a never ending process that doesn’t give the immediate satisfaction necessary to earn money from asset owners, vendors, and the government.

    Most of your “Fact Check” pieces just seem like obscure opinion pieces devoid of facts. You seem like an intelligent individual with undoubtedly more experience than I, but your last point focusing Stuxnet towards HUMINT alone shows that you do not fully understand the situation nor the attack vectors. And that is speaking from my perspective in the cyber and intelligence gathering communities.

    Robert M. Lee

    2011/09/23 at 21:17

  2. see comments @island.

    Krypt3ia

    2011/09/23 at 21:55


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 117 other followers

%d bloggers like this: