Water Utility SCADA 'Attack': The, um, washout

Not an attack: an already failing pump, and an employee of a contractor to the
utility who was ... wait for it ...

traveling in Russia on personal business.

WaPo via Lauren @ Privacy: http://j.mp/rrvMXR

-- jra

I've noticed that in general, when there isn't an actual attack taking place, but rather some kind of misconfiguration or other issue, there's all too often a tendency to run around shouting about the 133t h4x0rs; and when there's really an attack taking place, it's the last thing to be considered, if ever, heh.

My comment about a certain person leaking public-private sector correspondence to the media still applies then.




This isn't the pentagon papers.

Those found leaking should face the legal consequences for sbu information leakage.

One can't have every email/memo leaked as it makes it unfeasible to perform ones job.

Jared Mauch

These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.


It already exists :slight_smile:

People may be subject to prosecution for leaking this to the public. It's that simple. Problem is it can't be undone, so it's not an interesting case in some regards...

- Jared

I expect to see Joe Bloggs arrested next week then, it won't happen though.


Actually, it's *not* that simple - it's complicated enough that a quick
knee-jerk "There should be a law against it" reaction is probably a bad idea.
(In fact, I'll go out on a limb and say that one-sentence "there should be a
law agains it" reactios are almost always a bad idea).

After all, fusion centers were originally created because too many agencies had
laws and regulations banning the sharing of information. We saw a decade ago
just how well *that* worked out for us. So it's not at all clear that "new"
laws making things *more* classified are a good idea in this case. Nor is it
obvious how to code useful laws to prohibit the dissemination of data from a
group set up for the express purpose of mining data and disseminating the
results. Sure you can tighten things down, but if a fusion center can't
release something quickly, it's not a lot of use, is it?

(We've more than once gotten stuff from various TLA's stamped with a default
"No Foreign Nationals" that ended up being totally unusable because we've got
foreign nationals all over the place, and had to wait for a second copy that
had gotten kicked down to "FOUO" so we could use it - loads of fun)

So the last thing we need is people who don't even know what laws already exist
calling for the creation of *new* laws.

And quite frankly, which way do you want these things to fail? Do you want an
early alert that says "evil packets may be coming in from Russia", or do you
want it to wait till they've verified it's a contractor's employee ssh'ing in
while on vacation? Sure, a few people have some egg on their faces and now have
a really good bar story. But let's keep in mind that it took several days to
sort this one out - coincidentally, just about the same number of day that it
took Sony to come out and say that PSN got whacked.

You really can't have it both ways. Which do you want, false positives or
false negatives?


This isn't the pentagon papers.

Those found leaking should face the legal consequences for sbu information leakage.

One can't have every email/memo leaked as it makes it unfeasible to perform ones job.

Your work email inbox is public record in Sweden, if you are a public
employee. If you want something secret, you'll have to work hard for it
to be so.

Same goes for any file that is not a work-in-progress. (Official notes
from a meeting for instance.)

It works.

There is already a law on the books called Protected Critical Infrastructure Information (PCII). It has stiff penalties for leaking the information. The reporting critical infrastructure company has to request the information or report be protected under PCII. In most cases the companies also use their own NDA as well for added recourse if the info gets leaked. Also the fusion center or DHS could of offered this option up since most companies do not know this option/law is on the books. For a State Fusion center to leverage this law they have to get a delegation from DHS or at a minimum bring the executive agent in to declare the info PCII since it's a federal law.

The PCII designator works and has been used in past incidents. Sensitive but unclassified does not work and has widely varying meanings from agency to agency. If it's that sensitive use PCII or classify as SECRET.

Regarding this incident, I was skeptical from the get go. The fog of war around any incident is usually pretty thick at the initial stage. This has been shown even in national level cyber exercises time and time again. FBI/USSS/US-CERT are routinely engaged and investigating cyber incidents and nothing new here. People acted as if that was outside the norm when it was not.


"andrew.wallace" <andrew.wallace@rocketmail.com> writes:

These reports are ment for private sector eyes only. I suggest new secrecy legislation, for fusion centres.

Making it harder to share information on incidents and vulnerabilities
is not the best of ideas.

Over the last ten years I have seen much, much, MUCH more damage
resulting from information *not* being shared than from information
being improperly shared.

Generally, I agree with you, but, FUD is not information. Spreading FUD (as is the
case in this incident more than information) is more harmful than good.

Making it harder to spread misinformation and FUD is good.
Making it harder to share information is bad.

Information is the anti-FUD.


Unfortunately, it's often quite difficult to distinguish between the two when formulating policies, regulations, legislation, and so forth.

That might be because FUD is usually the main ingredient in policies, regulations, legislation, etc. for the last 2 decades at least.
Politicians seem to be addicted to FUD like a baby born on crystal meth.

At least in the US.


I would actually carry this to another level, and say this "leak" could be
considered evidence that the fusion centers are working quite well. The
fact is that a fusion center, in this case, enabled the community to:
1)respond to an event (together);
2)know where to contribute any coordinating information, now or in the
3)be on the lookout for similar events;
4)raise awareness about a perceived problem that doesn't seem to be
getting better;
5)perceive a measure of transparency in the operation and utility of these
fusion centers.

From where I stand this disclosure being dubbed a "leak" is improper.

Perhaps it was a leak, perhaps it was an intentional disclosure. Either
way, it showed that fusion centers are working to escalate the attention
given to potentially serious issues, with a defined benefit to the
community they serve, while operating with an appropriate degree of
cooperation between TLAs. And while there was media FUD early on, the final
output was clear, concise, and non-speculative.