Inside ICS-CERT's War Room

← Back to Stories (view on slashdot.org)

Posted by timothy on Tuesday October 4, 2011 @12:52AM from the general-mckittrick's-around-somewhere dept.

itwbennett writes "When Stuxnet first appeared in July 2010, the U.S. response was gathered at the ICS-CERT facilities at Idaho National Labs (INL). 'This is the classified building where phones will start ringing should the next Stuxnet show up, and home to staffers who specialize in IT and industrial systems,' said Robert McMillan, who was invited to attend a training exercise run by the U.S. Department of Homeland Security (DHS) and INL. 'It's small — there were just four analysts there on Thursday — but it looks like the security operations centers you see big companies such as Cisco and Symantec: people sitting in front of computers, with a big screen showing a real time feed of any situations that need to be handled.'"

19 of 30 comments (clear)

Min score:

Reason:

Sort:

That seems old school. Not in a good way. by bigredradio · 2011-10-04 01:04 · Score: 1

From what I have read about Stuxnet, it was a global coordinated effort. The benefit to that level of diversity is the "out of the box" thinking is off the chart. You put similar people with similar backgrounds in the same room, and the hacking world will eat their lunch.

--
Flexible bare-metal recovery for Linux/UNIX
1. Re:That seems old school. Not in a good way. by Yvanhoe · 2011-10-04 01:20 · Score: 1
  
  It was an Israeli military effort. The general Gabi Ashkenazi admitted to have led this effort when going into retirement. Interestingly, I have read this news in several French newspaper but this information never seem to have crossed the language barrier. On both Stuxnet's and Gabi Ashkenazi's pages this fact is mentioned in the French wikipedia but not in the English one. The original source is the Israeli newspaper Haaretz.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
2. Re:That seems old school. Not in a good way. by Xugumad · 2011-10-04 01:23 · Score: 1
  
  Out of curiousity, do you have any sort of netsec/infosec background, or does most of this come from reporters babbling about how everything is new and different (this time, really, we mean it)?
  Defending a system under attack in real-time is... both very easy, and very difficult. Your main option is whether you pull the plug or not, and if you do that tends to be very effective. The blue/red team wargaming seems more like the sort of thing done to make someone feel they're doing something useful.
  However, having people who can co-ordinate and manage information coming in, I can really see benefit to, even if they're just advising on when/where to pull network cables out to stop the flood.
3. Re:That seems old school. Not in a good way. by Gimbal · 2011-10-04 01:35 · Score: 1
  
  I imagine it would be a fun sociological experiment, to conduct a real sociological study of the hypothesis you suggest. Of course, there might be some collateral damage... Maybe it would make for a fine movie, anyways ;}
  [Insert j/k tag here]
4. Re:That seems old school. Not in a good way. by ZankerH · 2011-10-04 03:27 · Score: 1
  
  Those facts are not intended for public consumption by the goyim, citizen!
5. Re:That seems old school. Not in a good way. by bigredradio · 2011-10-07 02:48 · Score: 1
  
  You misunderstand. I am talking about those that were trying to figure out what stuxnet was and who the intended target could be. That was a global effort. If there is a group attempting to thwart cyber threats, a global coordinated effort seems to make more sense to me than the war room mentality.
  
  --
  Flexible bare-metal recovery for Linux/UNIX
Big Screen? by Lord+Grey · 2011-10-04 01:18 · Score: 1

... with a big screen showing a real time feed of any situations ...

Pfffft. That screen is nothing compared to what you need just to handle development in Eclipse. Pansies.

--
// Beyond Here Lie Dragons
1. Re:Big Screen? by Gimbal · 2011-10-04 01:24 · Score: 1
  
  Well ain't it some nice techno-bling though?
  Well it's some silliness anyways - an exaggerated presentation of simple information, really. Such tendency for exaggeration in "such things" - it is a large part of why I, myself, will not even try to get a job with such organization. And the world moves on.... :)
2. Re:Big Screen? by Gimbal · 2011-10-04 01:44 · Score: 1
  
  Nice level-headed point of view, there.
  Me, I'd be too preoccupied with the burning question, "I wonder how the Ren and Stimpy show would look, on that big screen?" too much to actually get the job done...
  As far as data modeling for comp sec work, so that one wouldn't need a huge screen to get a useful view on a huge data set - well, digressing, I guess that's stuff mostly to show off to the boss, too...?
3. Re:Big Screen? by ITShaman · 2011-10-04 02:24 · Score: 1
  
  I know what you mean. I did a gig with a North American electricity supplier, and spent a lot of time in their Ops Center. They had 2 big screens at the front of the room, and about 8 workareas (semi-cicular desks) with 3 monitors on each of them, all the desks facing these massive 2 projection screens. One screen had real-time traffic and weather camera feeds going (why? I don't know, guess they wanted to know how the commute home would go...) The other screen had statuses for some of the more critical servers. Which was also funny, since I was there when one of those servers went from "green" to "red", and 4 pagers/phones went off in the room at the same time, and the those whose phones rang immediately got on the phone and started to troubleshoot, with the big screens all but forgotten.
  In short, it's all for show, not really, truly useful...
  
  --
  I can no longer read Dilbert. It's too depressing, because it is too real. -- Hyperhaplo
4. Re:Big Screen? by Dr_Barnowl · 2011-10-04 03:32 · Score: 1
  
  The traffic and weather feeds were probably pertinent.
  Traffic governs how fast people get home. The first thing people do when they get home is power up a whole bunch of stuff, some of it very hungry - like kettles, for making tea or coffee.
  Weather affects how many lights you turn on, whether you use the dryer rather than the line, etc.
  For the same reason electricity suppliers in the UK need to know the television schedules - historically, we have had fewer channels, and breaks in popular programmes coincide with large numbers of kettles being put on (at 1-3 kW each, this isn't a small thing).
5. Re:Big Screen? by garyebickford · 2011-10-04 06:19 · Score: 1
  
  Back in the day the flow through the sewer systems was an accurate measure of the popularity of certain TV shows, as everyone flushed during the commercials. Nowadays that probably isn't so true.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Re:hello by L4t3r4lu5 · 2011-10-04 01:32 · Score: 1

Thanks for an informative post on âoe the topicâ. I was looking for the information and researching on it when I stumbled upon your post. Thanks again
Hey there, link spammer!

By default, all URL's on Slashdot have the attribute "rel=nofollow" meaning that web spiders won't follow the links for the purpose of ranking in search engines.

What it DOES do, however, is ensure that your spam URL www dot efortesolutions dot com makes its way into my DNS shitlist, never to be resolved by anyone inside my organisation again. Furthermore, you're supposed to replace " the topic" with the actual topic of the post. Way to go, douchebag!

--
Finally had enough. Come see us over at https://soylentnews.org/
Re:Classified building? by borrel · 2011-10-04 01:36 · Score: 1

the most famous SECRET it operations center just like the most famous SECRET base (area 51) does anyone think there is anything secret there?(i dont, maybe there WAS but then it would be moved to a secret location)
Because.... by jimpop · 2011-10-04 02:00 · Score: 1

Because... sitting in front of computers, with a big screen showing a real time feed of any situations that need to be handled is a true indicator that things will get accomplished.
1. Re:Because.... by Errtu76 · 2011-10-04 02:39 · Score: 1
  
  We have the same for our Nagios instances. Big screen, big red alerts and stuff. Big deal. Fun for management, but my neck starts to hurt if i have to move around too much.
2. Re:Because.... by Inda · 2011-10-04 02:39 · Score: 1
  
  Why not?
  
  I sit here with cmd.exe running and everyone thinks I'm doing something important. The trick is to choose a large directory, with many sub-directories, on a slow server, on the other side of the world.
  
  >tree /f
  
  They should pay me extra for knowing that
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
3. Re:Because.... by garyebickford · 2011-10-04 06:27 · Score: 1
  
  I think it depends on the application. A project I worked on the proposal for was an upgrade to a large rail system. They had a big room with about a dozen huge projection displays that together showed the entire route system with live status from sensor data all over the area. I think every operator had their own console to work on their particular bit of it, but having the entire thing visible to everyone at once provided important contextual information. Similar displays, even full immersion rooms (for somewhat different purposes), are used in the chemical and oil industries. To some extent that would be true for any network-like operation, especially if you have a large number of nodes and edges.
  One of the biggest issues I have with any computer monitor is that it is nearly impossible to provide all the contextual information that any wooden desktop provides. Seeing something 'out of the corner of my eye' is a valuable tool that is essentially not available in a computing environment. Our eyes and brains have an amazing capability to see both close-up detail and simultaneously be unconsciously monitoring a wide area around that detail. Working on computers, even the dual-screen setup I have now, is like always having to see through a porthole.
  
  --
  It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
Big screens are management porn... by MrOion · 2011-10-04 02:54 · Score: 1

Big screens are just management porn, its only for showing off to visitors and be taken pictures in front of.
We have the same in the SOC (Security Operation Center) where I work, and it's always fun watching politicians and other "prominent" people nodding their heads when our manager explains what the screens are showing. The fact is that we never ever use that information ourself, and all the real work is done one our own personal screens.
But it can be made to look impressive, and make sure the money flows our way... :)