Matt Franz in a recent post at his blog noted, in a very tongue in cheek manner, that some of Digital Bond’s recent Scadapedia articles serve to “arm attackers”. As security through obscurity does not exist it is important to understand that the dissemination of information in and of itself is not bad. Information is a tool, its goodness/badness determined by its use. As the main instigator of two edged articles I think it worthwhile to address this topic.

As there is a huge overlap of techniques used by the bad-guys and the good-guys in performing code assessments, fuzzing, on site assessments (hacking in the bad-guy’s case) etc. it is impossible to educate the good-guys without empowering the bad-guys. We use the same techniques; reconnaissance, discover, enumerate, penetrate, escalate, communicate, cover up and clean up. We use the same tools; Nmap, Metasploit, various debuggers and decompilers, Wireshark, Etercap, etc. And lately, to some degree we are examining the same [control] systems. The hacker community is ever becoming more aware of control systems, and as our nation specifically employs teams discover vulnerabilities so that they can be fixed under the auspices of infrastructure protection, there is a certainty that other nations are looking for similar vulnerabilities, with perhaps not as benign motives.

The only difference between black hat and white hat (bad-guys/good-guys) is the application of the knowledge, techniques and tools that they possess.

To expect the bad-guys to not be able to discern the application of tools to control system environments, to not be able to track down known control system services and their associated ports, to not fuzz and try to develop exploits for control systems if sheer folly. To hope that by not discussing the application of known techniques and tools to control systems the bad-guys will not learn of them, madness akin to putting your head in the sand and hoping that the whole issue will merely disappear.

It is an “arms race” with the only solution in sight being to educate the good-guys, better and faster than the bad-guys and to propagate mitigations at a rate faster than the bad-guys can exploit vulnerabilities. As the “state of the art” in control systems seems to be stuck in the 90’s the above is easier said than done.