I was a little late catching it, but Richard Bejtlich made a post titled “First They Came for Bandwidth…” over on his TaoSecurity blog last week that is worth reading. He argues that one of the problems with being in a defensive position with regard to security is a tendency toward lack of imagination, uses the Ukranian hacker stock market fraud story as a case in point, and then discusses a progression of attacks.
I think there are some observations from his post that apply well to the control system world:
1.) We aren’t always able to visualize how an attack can happen. This is especially true in our industry. Even though we are rapidly coming out of the realm of obscurity (see number 3 on the “Top Ten SCADA Security Stories in 2007”), we still have a difficult time visualizing how our systems could be attacked.
2.) We aren’t always able to visualize why an attack would happen. Bejtlich’s post challenges us to confront the fact that just because we do not see a motivation for an attack, doesn’t mean that one doesn’t exist.
3.) The progression time line is very poignant. The progression itself is not breaking news but it highlights why we must be diligent. Bejtlick writes:
“Overall I see a progression like the following. (I thought I posted this before but I cannot find it!)
* First they came for bandwidth… These are attacks on availability, executed via denial of service attacks starting in the mid 1990’s and monetized later via extortion.
* Next they came for secrets… These are attacks on confidentiality, executed via disclosure of sensitive data starting in the late 1990’s and monetized as personally identifiable information and accounts for sale in the underground.
* Now they are coming to make a difference… These are attacks on integrity, executed by degrading information starting at the beginning of this decade. These attacks will manifest as changes to trusted data such that those alterations benefit the party making the change. This sort of attack undermines the trustworthiness of data.”
When attackers wanted bandwidth, they weren’t going to find it in an isolated control network segment. And in most control systems, there is nothing incredibly secret about what is happening. Making a difference, or impact, however, is something that is possibile with control system attacks — be it in perception only or in reality.