Slashdot Mirror

← Back to Stories (view on slashdot.org)

Inside ICS-CERT's War Room

Posted by timothy on from the general-mckittrick's-around-somewhere dept.

itwbennett writes "When Stuxnet first appeared in July 2010, the U.S. response was gathered at the ICS-CERT facilities at Idaho National Labs (INL). 'This is the classified building where phones will start ringing should the next Stuxnet show up, and home to staffers who specialize in IT and industrial systems,' said Robert McMillan, who was invited to attend a training exercise run by the U.S. Department of Homeland Security (DHS) and INL. 'It's small — there were just four analysts there on Thursday — but it looks like the security operations centers you see big companies such as Cisco and Symantec: people sitting in front of computers, with a big screen showing a real time feed of any situations that need to be handled.'"

30 comments

  1. That seems old school. Not in a good way. by bigredradio · · Score: 1

    From what I have read about Stuxnet, it was a global coordinated effort. The benefit to that level of diversity is the "out of the box" thinking is off the chart. You put similar people with similar backgrounds in the same room, and the hacking world will eat their lunch.

    --
    Flexible bare-metal recovery for Linux/UNIX
    1. Re:That seems old school. Not in a good way. by Anonymous Coward · · Score: 0

      From what I have read about Stuxnet, it was a global coordinated effort. The benefit to that level of diversity is the "out of the box" thinking is off the chart. You put similar people with similar backgrounds in the same room, and the hacking world will eat their lunch.

      So you've read the bios of each person working there? You know their qualifications, education and general background? If not, then why did you make the assumption that they're all vanilla flavored? If you did, then post the link(s) so that we, too, can post our disgruntled, pessimist thoughts for the whole world to see.

    2. Re:That seems old school. Not in a good way. by Yvanhoe · · Score: 1

      It was an Israeli military effort. The general Gabi Ashkenazi admitted to have led this effort when going into retirement. Interestingly, I have read this news in several French newspaper but this information never seem to have crossed the language barrier. On both Stuxnet's and Gabi Ashkenazi's pages this fact is mentioned in the French wikipedia but not in the English one. The original source is the Israeli newspaper Haaretz.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    3. Re:That seems old school. Not in a good way. by Xugumad · · Score: 1

      Out of curiousity, do you have any sort of netsec/infosec background, or does most of this come from reporters babbling about how everything is new and different (this time, really, we mean it)?

      Defending a system under attack in real-time is... both very easy, and very difficult. Your main option is whether you pull the plug or not, and if you do that tends to be very effective. The blue/red team wargaming seems more like the sort of thing done to make someone feel they're doing something useful.

      However, having people who can co-ordinate and manage information coming in, I can really see benefit to, even if they're just advising on when/where to pull network cables out to stop the flood.

    4. Re:That seems old school. Not in a good way. by Gimbal · · Score: 1

      I imagine it would be a fun sociological experiment, to conduct a real sociological study of the hypothesis you suggest. Of course, there might be some collateral damage... Maybe it would make for a fine movie, anyways ;}

      [Insert j/k tag here]

    5. Re:That seems old school. Not in a good way. by ZankerH · · Score: 1

      Those facts are not intended for public consumption by the goyim, citizen!

    6. Re:That seems old school. Not in a good way. by bigredradio · · Score: 1

      You misunderstand. I am talking about those that were trying to figure out what stuxnet was and who the intended target could be. That was a global effort. If there is a group attempting to thwart cyber threats, a global coordinated effort seems to make more sense to me than the war room mentality.

      --
      Flexible bare-metal recovery for Linux/UNIX
  2. Classified building? by SquirrelDeth · · Score: 0

    Why would DHS say "Hey buddy come check out our training methods and classified building and then you can write a story and tell everyone all about it"?

    1. Re:Classified building? by borrel · · Score: 1

      the most famous SECRET it operations center just like the most famous SECRET base (area 51) does anyone think there is anything secret there?(i dont, maybe there WAS but then it would be moved to a secret location)

  3. Big Screen? by Lord+Grey · · Score: 1

    ... with a big screen showing a real time feed of any situations ...

    Pfffft. That screen is nothing compared to what you need just to handle development in Eclipse. Pansies.

    --
    // Beyond Here Lie Dragons
    1. Re:Big Screen? by Gimbal · · Score: 1

      Well ain't it some nice techno-bling though?

      Well it's some silliness anyways - an exaggerated presentation of simple information, really. Such tendency for exaggeration in "such things" - it is a large part of why I, myself, will not even try to get a job with such organization. And the world moves on.... :)

    2. Re:Big Screen? by Anonymous Coward · · Score: 0

      Notice that all the analysts have their own personal monitors...

      Big screens like that are nice for showing off to the media and the boss, not so nice for actually reading them. When I was a child my dad was a sysadmin for an electric company and they decided to film a commercial down in the server room for some reason. About half way through, the film crew stopped because "the server wasn't on." The tape deck wasn't spinning... They ended up needing to start a backup so the tape would spin and server would look busy.

    3. Re:Big Screen? by Gimbal · · Score: 1

      Nice level-headed point of view, there.

      Me, I'd be too preoccupied with the burning question, "I wonder how the Ren and Stimpy show would look, on that big screen?" too much to actually get the job done...

      As far as data modeling for comp sec work, so that one wouldn't need a huge screen to get a useful view on a huge data set - well, digressing, I guess that's stuff mostly to show off to the boss, too...?

    4. Re:Big Screen? by ITShaman · · Score: 1

      I know what you mean. I did a gig with a North American electricity supplier, and spent a lot of time in their Ops Center. They had 2 big screens at the front of the room, and about 8 workareas (semi-cicular desks) with 3 monitors on each of them, all the desks facing these massive 2 projection screens. One screen had real-time traffic and weather camera feeds going (why? I don't know, guess they wanted to know how the commute home would go...) The other screen had statuses for some of the more critical servers. Which was also funny, since I was there when one of those servers went from "green" to "red", and 4 pagers/phones went off in the room at the same time, and the those whose phones rang immediately got on the phone and started to troubleshoot, with the big screens all but forgotten.

      In short, it's all for show, not really, truly useful...

      --
      I can no longer read Dilbert. It's too depressing, because it is too real. -- Hyperhaplo
    5. Re:Big Screen? by Dr_Barnowl · · Score: 1

      The traffic and weather feeds were probably pertinent.

      Traffic governs how fast people get home. The first thing people do when they get home is power up a whole bunch of stuff, some of it very hungry - like kettles, for making tea or coffee.

      Weather affects how many lights you turn on, whether you use the dryer rather than the line, etc.

      For the same reason electricity suppliers in the UK need to know the television schedules - historically, we have had fewer channels, and breaks in popular programmes coincide with large numbers of kettles being put on (at 1-3 kW each, this isn't a small thing).

    6. Re:Big Screen? by Anonymous Coward · · Score: 0

      Also storms knock down power lines, and repair vehicles use the same roads as "civilian" vehicles.

    7. Re:Big Screen? by garyebickford · · Score: 1

      Back in the day the flow through the sewer systems was an accurate measure of the popularity of certain TV shows, as everyone flushed during the commercials. Nowadays that probably isn't so true.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  4. Re:hello by L4t3r4lu5 · · Score: 1

    Thanks for an informative post on âoe the topicâ. I was looking for the information and researching on it when I stumbled upon your post. Thanks again

    Hey there, link spammer!

    By default, all URL's on Slashdot have the attribute "rel=nofollow" meaning that web spiders won't follow the links for the purpose of ranking in search engines.

    What it DOES do, however, is ensure that your spam URL www dot efortesolutions dot com makes its way into my DNS shitlist, never to be resolved by anyone inside my organisation again. Furthermore, you're supposed to replace " the topic" with the actual topic of the post. Way to go, douchebag!

    --
    Finally had enough. Come see us over at https://soylentnews.org/
  5. Where were they at when.... by madfilipino · · Score: 0

    Where were they at when the biggest virus to hit the internet - Windows 7 - was released? Sitting on their asses watching all the blinkenlights?

  6. Because.... by jimpop · · Score: 1

    Because... sitting in front of computers, with a big screen showing a real time feed of any situations that need to be handled is a true indicator that things will get accomplished.

    1. Re:Because.... by Errtu76 · · Score: 1

      We have the same for our Nagios instances. Big screen, big red alerts and stuff. Big deal. Fun for management, but my neck starts to hurt if i have to move around too much.

    2. Re:Because.... by Inda · · Score: 1

      Why not?

      I sit here with cmd.exe running and everyone thinks I'm doing something important. The trick is to choose a large directory, with many sub-directories, on a slow server, on the other side of the world.

      >tree /f

      They should pay me extra for knowing that

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    3. Re:Because.... by garyebickford · · Score: 1

      I think it depends on the application. A project I worked on the proposal for was an upgrade to a large rail system. They had a big room with about a dozen huge projection displays that together showed the entire route system with live status from sensor data all over the area. I think every operator had their own console to work on their particular bit of it, but having the entire thing visible to everyone at once provided important contextual information. Similar displays, even full immersion rooms (for somewhat different purposes), are used in the chemical and oil industries. To some extent that would be true for any network-like operation, especially if you have a large number of nodes and edges.

      One of the biggest issues I have with any computer monitor is that it is nearly impossible to provide all the contextual information that any wooden desktop provides. Seeing something 'out of the corner of my eye' is a valuable tool that is essentially not available in a computing environment. Our eyes and brains have an amazing capability to see both close-up detail and simultaneously be unconsciously monitoring a wide area around that detail. Working on computers, even the dual-screen setup I have now, is like always having to see through a porthole.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  7. Re:hello by Anonymous Coward · · Score: 0

    Gentlemen. You can't fight in here. This is the War Room!

  8. Big screens are management porn... by MrOion · · Score: 1

    Big screens are just management porn, its only for showing off to visitors and be taken pictures in front of.

    We have the same in the SOC (Security Operation Center) where I work, and it's always fun watching politicians and other "prominent" people nodding their heads when our manager explains what the screens are showing. The fact is that we never ever use that information ourself, and all the real work is done one our own personal screens.

    But it can be made to look impressive, and make sure the money flows our way... :)

    1. Re:Big screens are management porn... by Anonymous Coward · · Score: 0

      I was in a SOC once that had a bunch of big screen... Really cool looking. I started to ask questions and there was one that had a picture of the US with a bunch of lines all over. I of course thought it was some sort of density of network traffic or something like that so I asked it trying to sound smart I guess. The guy was like, no that is the weather map.... No idea why that was needed, but I felt like an idiot!

  9. Re:hello by Anonymous Coward · · Score: 0

    Ha. Excellent work sir.

  10. USA and Sanhedrin still deny the well known by Anonymous Coward · · Score: 0

    > When Stuxnet first appeared in July 2010, the U.S. response

    The above sentence is, in and itself impossible, considering the anti-iran Stuxnet computer worm was developed on the libyan P-1 uranium centrifuge rig set, which the USA had shipped over to the zionists's Dimona facility, after Colonel Gadhafi made peace with the euro-atlantic "Free World" a few years ago. There can be no "response" per se, if you are one of the initiators, obviously.

    Not too suprisingly, as soon as Stuxnet was activated and done its job on Iran, Colonel Gadhafi and the secret of his P-1 set's destination became redundant, thus a "popular revolution" was quickly created in Libya to depose and kill him... (About as much of a scam as the 1956 hungarian revolution was a CIA scam, to cover the back of the tri-partite invasion of Egypt, except the USSR politburo did not fell for that one.)