So yeah, there was a Target thing, a Home Depot thing, a
J.P. Morgan thing and even a Sony thing. Was it bad, yeah, sorta, if you
consider that some of our largest corporations were owned in a solid manner
and, in some instances, it took months to even discover the breaches. But ironically,
the most discussed incursion is the Sony hack, which in retrospect, is really
nothing since it’s just an entertainment company (this statement, in no way
minimizes the affect this incident had on the innocent employees and their
personal information that was leaked). And yet with all the press this Sony
debacle is getting these days, especially when the FBI is firmly sticking to
“it was North Korea that pulled it off”, people seem to have lost sight of a
major area of concern for our nation’s security and that is our ICS and SCADA
infrastructure.
We always hear about the IoT (Internet of Things) and how
it will be a hackers paradise, being able to make toasters and refrigerators do
all sorts of dastardly deeds, but there is another IoT that concerns me more
than all of the other attack vectors combined, and that is our critical
infrastructure, which, according to many experts is ripe for the picking. And
if there are real nation-state actors out there that want to hurt us (and I
believe there are), then they won’t be popping Target, Sony or Cuisinart,
they’ll be targeting the systems that we rely on every day.
Just writing what I have so far I feel like I’ve already
rehashed a lot of what has been reported for months on end, but I also feel
that the truth needs to be repeated so everyone understands just how important
these issues really are to our country’s very existence. Most of you work in
private sector positions, fighting the good fight to keep our PII safe, and
this is needed very much these days, but there is also a great need for the
same kind of tenacity in the ICS/SCADA world. And, if you think it tough to
evoke change in your particular organization, just think about how hard that
same task is in the even larger world of the major utilities like power,
nuclear, transportation, oil and gas, because when things go wrong in these
areas, people can die and no cyber-insurance policy will ever be able to cover
that adequately.
To be honest, I have no experience at all in any kind of
ICS or SCADA environment (and very little real experience in the general
infosec field), but I can say that if an event on the level of the Sony
incident would have happened to one of our critical infrastructure assets, then
the United States would be in a very vulnerable state at this moment.
Even though the Sony story is important in a great many
aspects, there are bigger fish to fry out there and we’re deathly close to
being in that frying pan. So if we really want to be concerned about the
“nation-state” actors, we should be more concerned with our critical
infrastructure and not so much with the breach of a Japanese based
entertainment company.
REVISIONS:
1. As a general note, all governmental agencies need to cooperate with our critical infrastructure firms BEFORE the $hit hits the fan, not after the fact.
REVISIONS:
1. As a general note, all governmental agencies need to cooperate with our critical infrastructure firms BEFORE the $hit hits the fan, not after the fact.
2. Disclaimer: To the authors knowledge, at no time were any squirrels harmed during the writing and revising of this post. however, we do not know if they reciprocated in kind.
Note: A very special thank you to @chrissistrunk for his
insight on this piece. Wanna know more about ICS, then he’s your man!
Too late but good post Brother!
ReplyDelete