RSG Model Works

Nothing new but a decent summary of the state of cyber-security in the
Energy space. No, it’s not just another replay of the “AMI is Hot this week, SCADA was Hot last week” NERC/CIP rant.

Remember, for every substation with AMI head-end gear, there’s some ill-secured SCADA gear, debatably hiding behind it’s not-really-obscure RS-232 cabling. And next to it, if they have an access control system, will be the network drop for the badge readers for the gate.

All on the same unmanaged switch, of course.

Years ago, at the dawn of the dot-Com age, when crypto was cool and Distinguished Names were already an arcane concept, there was a story, let’s be kind and say it’s an urban legend, about root keys.  In the early days you bought a BBN Safekeeper.  It kept the RSA private key safe.  It had a battery backup on the memory it used to store the keys (remember this would have been 1980’s tech.)

There was this story about how American Express bought a Safekeeper but forgot to change the batteries.  I’m not sure it’s true but it does point out the need for the key operator to follow policy and use the “split the key and save the parts in separate places” features of modern HSM solutions.

More generally, you should buy a UPS.  Or at least make sure someone’s making sure your expectations about continuous clean in-budget power are met.  Buy a UPS, make sure you plug into the “special” power strip in the Colo, confirm the D/R plan is NOT on your task list, or somehow think about it.  At least think about it for a moment.

This is DEFINITELY not the PowerPoint slide you want shared at your next project postmortem meeting where you discuss poor estimates of project risk.

On the other hand, the next postmortem I have to attend is one of those “…and THAT is why I was standing in the data center in front of the Cisco switch, grumbling about change management” meetings and I SO am putting this image in my PowerPoint deck as a warning.  Something about letting those cowboys out in the Gulf play fast and loose with the tech…

What you feel when introduced to someone who served over 500 days in combat in World War II.

ASIS 2010 Annual Conference/Exhibition, Dallas Texas. Yep. Went to Dallas. Went to the show. So some good things (vendors actually using syslog, managed switches being demonstrated.) Saw some things I’m not thrilled with (proprietary protocols used with encryption, serial to ethernet converter products (in 2010 !!!) Is this marketplace getting more network-clueful? Yes? Is it still of concern? Yes. The technology available this year in the ASIS exhibition hall can do wonderful things. It can also be deployed in astoundingly insecure ways. It’s a curious mix of decades-old technology (did I mention a serial-to-ethernet converter, on sale in 2010 ???) and people walking around asking for IPv6. I do feel safer knowing that vehicle barriers big enough to stop a truck are available today. I hope that the integrator who deploys that applies the finest workmanship to that collection of Allen-Bradley ethernet-attached process control electronics huddled in the metal housing on the side of the unit. Don’t make me ask if you can telnet into the vehicle barrier…