SANS SCADA Security Webcast

I just listened to a SANS SCADA Security webcast. I found the first half or so more interesting than the last half. The audio should be available by tomorrow, and the slides are already posted.

I liked listening to Eric Byres. He described his work with the Industrial Security Incident Knowledgebase. This is real data supplied by 22 companies with SCADA implementations. The price of access to the database is providing at least one case study of a SCADA security event. I thought this was a novel way to encourage disclosure of security incidents.

I found the following slide surprising.



Yes, 17% of the incidents involved SCADA (or PLC or DCS) systems directly connected to the Internet. Eric said 80-90% of control systems are connected to business systems that are then connected to the Internet. He also said the so-called "air gap" is a "myth."

In 2001 Eric noted an increase in the number of attacks from outsiders. Does this sound familiar?



As I noted before, recidivist internal threats are the easiest to prevent because you can fire the perpetrator and preferably prosecute him/her (assuming you identify the perpetrator). Try doing the same with an unnamed recidivist attacker from a jump box in Romania!

This slide shows financial impact.



I recommend listening to at least the first half of the webcast before you jump all over my thoughts, Slashdot-style. If you heard the whole webcast already, please feel free to comment.

You might find all of the slides useful too.