CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

msm1267 writes "A presenter at this week's CanSecWest security conference withdrew his scheduled talk for fear the information could be used to attack critical infrastructure worldwide. Eric Filiol, scientific director of the Operational Cryptology and Virology lab. CTO/CSO of the ESIEA in France, pulled his talk on Sunday, informing organizer Dragos Ruiu via email. Filiol, a 22-year military veteran with a background in intelligence and computer security, said he has been studying the reality of cyberwar for four months and came to the decision after discussions with his superiors in the French government. Filiol said he submitted the presentation, entitled 'Hacking 9/11: The next is likely to be even bigger with an ounce of cyber,' to CanSecWest three months ago before his research was complete. Since his lab is under supervision of the French government, he was required to review his findings with authorities.

'They told me that this presentation was unsuitable for being public,' Filiol said in an email. 'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries)."

hack the planet

[trdtaylor]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

Re:hack the planet

This is our world now. The world of the electron and the switch; the beauty of the baud. We exist without nationality, skin color, or religious bias. You wage wars, murder, cheat, lie to us and try to make us believe it's for our own good, yet we're the criminals. Yes, I am a criminal. My crime is that of curiosity. I am a hacker, and this is my manifesto.

Re:hack the planet

[Chrisq]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

Re:hack the planet

[Quixadhal]

How's that old saying go? Security through obscurity is not security at all?

Re:hack the planet

If you want to make sure your talk isn't censored, you use a psuedo-name, you don't talk about your work, and you don't tell your employer. If you are going to disclose research paid for by someone else, you'd better get their authorization in advance. It is frowned on by conference organizers to withdraw a talk. They will usually blackball speakers who do it.

Re:hack the planet

[pla]

knee-jerk reactions are the norm not the exception to security disclosure, and I doubt he has some leeto 0-day to destroy the world with.

This. A discussion about viable "cyberwar" doesn't depend on knowing the latest and greatest weakness in Flash player. It depends on well-documented systemic weaknesses in commonly used PLCs, in protocols like ModBus; and where a practical attacker cares about "consumer" OSs, they care about exploiting the 30 year old unpatched packet drivers for NE2000 compatible cards running under MS-DOS 6.2 (it would amaze you how many "embedded" devices run DOS).

And the focus of such a serious discussion has nothing to do with glory or PII or money, but rather, "crippling infrastructure 101: Electric, water, and traffic control systems 101".

The only reason to censor this as a "threat" comes from the underlying mindset of looking for subtle systemic weaknesses rather than trying to find the digital version of "fly a plane into a building". Think how subtly Israel fucked Iran's nuclear program with Stuxnet, and you have the right idea.

Re:hack the planet

[captainpanic]

Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

Re:hack the planet

[DarkOx]

The corollary however is "loose lips sink ships".

I generally come down on the side of disclosure because when it comes to keeping secrets humans are not very good.

First some engineer has a few beers with his cousin, and starts a story out "the boss said don't tell anyone but..." and lets it slip it would possible to enable the thermal cleaning operation of some pressure probe on a gas line without first shutting off the gas, and things could get exciting and you could totally do this without authentication if could just get a connection to signaling bus. Then the cousin repeats this story somewhere for whatever reason and pretty soon the wrong guys hear about it. So just trying to keep it under wraps does not work.

The trick is making sure enough of the right kind of people know about it so the issue gets attention and fixed.

Re:hack the planet

[tsqr]

How's that old saying go? Security through obscurity is not security at all?

As usual, generalizations aren't woth a damn.

Should the Imperial Navy gave told the US Navy they were coming in 1941? Should Ike have let Adolf know it was going to be Normandy? Maybe the Brits should have told the Germans about Bletchley Park?

Sometimes obscurity is all you have to begin with. Sometimes it's all you'll ever have.

Re:hack the planet

[Cenan]

Bullshit. Why do people like you always assume that the fabled terrorist doesn't already know about these holes? Or are actively searching for them? If you've been following security for any length of time, you would know that in most cases the "bad guys" are many steps ahead of the researchers, if not on a whole other playing field. This renders the standard security by obscurity irrelevant, if not straight up dangerous.

But, suppose an imaginary terrorist group has decided that they wish to conduct some good old fashioned cyber-terrorism, what the fuck do you think they're going to do? Wait for a talk at some random conference? Or start utilizing the expertise they have on hand? The massive security holes in the digital infrastructure do not magically appear once a researcher publishes a paper on them, they were there all along. If you're a terrorist and itching for some mayhem, you're not going to sit idly by, twiddling your thumbs and waiting for the next research paper.

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Stupid terrorists go in the front door with guns blazing, and get gunned down in the courtyard. Smart terrorists exploit holes nobody is aware of to maximize their payoff.

* In this reply, the term terrorist is used as a stand-in for <insert scapegoat of choice>, a good choice could be the guys who did this, or this guy, or maybe these guys.

There are so many of them it's not even funny anymore, it has become easier to count the institutions with a grasp on their own security, then those without. So please good sir, wake the fuck up.

Re:hack the planet

[wonkey_monkey]

Should the Imperial Navy gave told the US Navy they were coming in 1941?

Well, kinda, yeah.

Re:hack the planet

[jbmartin6]

The fabled terrorist has had decades to exploit these weaknesses. And judging from the suppression of this research, he will have decades more after this. Where is he? So-called 'terrorist' attacks are very rare despite the huge number of airports, malls, sporting events, weddings, schools, subway trains, busy shipping ports, train stations, popular landmarks, etc etc etc. Yes there is a threat, just like any other sort of crime. But you are right, let's not imagine there are 'terrorists' sitting out there thinking 'gee I wish someone would give me a good idea on what to attack'

Re:hack the planet

That would be relevant if government wasn't just as shady

Re:hack the planet

[Cenan]

My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

The real threat is not some religious nut job in a cave somewhere, its the ingenious people who spend months or years researching an attack vector, setting up the heist and making off with millions. You just need to switch out the "profit/greed" motivator with a "chaos" motivator to see why those guys are much more dangerous than any "terrorist" we've seen to date.

Sure, bombs have a direct and altogether final consequence for the people nearby, but the blatant ignorance we display with regard to our digital infrastructure has a much larger potential for large scale harm.

Re:hack the planet

[tsqr]

Should the Imperial Navy gave told the US Navy they were coming in 1941?

Well, kinda, yeah.

Kinda, sorta... well, not really. The notification that the Japanese ambassador was supposed to deliver 30 minutes before the attack, but didn't deliver until after the attack had started, wasn't a declaration of war, or a warning that Hawaii was going to be attacked; it was a formal notification that negotiations were being broken off.

There is no denying that there were breakdowns in communication within US government and military that lessened the chances that we would figure out that an attack was imminent, and there were some moves by the Army (particularly the failure to disperse aircraft on the ground) that in hindsight look really boneheaded, but in the end, the Japanese successfully obscured their intentions and the attack was a complete surprise.

Re:hack the planet

[CanHasDIY]

Yeah, but other saying goes: You don't have to help the terrorists by making it easy for them.

By giving the information to a government, they are helping the terrorists.

Re:hack the planet

[CanHasDIY]

My use of the term "terrorist" was also meant as a jab against the mentality of thinking of Arab guys with gun belts and AK-47s. You don't need to blow up a train station to have an impact on people's daily lives, as witnessed time and time again when some BigCorp gets their entire customer catalog siphoned off.

That's not terrorism, it's larceny.

Terrorism is defined, at least by Google, as "the use of violence and intimidation in the pursuit of political aims."

Stealing credit card info isn't violent, nor intimidating. Let's stop conflating "terrorist" with "petty criminal," since doing so only makes it easier for governments around the globe to whittle away at our civil liberties.

Re:hack the planet

[Pope]

Since when does Google define anything? It's a search engine.

Re:hack the planet

[Fnord666]

By keeping your mouth shut about these holes, you are pretty much guaranteeing that they will remain open for exploitation. People in positions with the authority to make decisions about patching the holes will remain oblivious, because let's face it, very few of said people have a fucking clue.

Security by obscurity does not work. I believe that we can all agree on that. On the other hand, responsible disclosure means talking to the people who can do something about a discovered issue should be the first step. Once the issue has been addressed, then a wider disclosure is reasonable.

Re:hack the planet

Having spent some time in the industrial controls space recently, it's not that simple. There is no such thing as a "quick patch". The ICS vendors frequently have little security experience (even now), there are no limited or no contractual clauses to enforce security updates and refresh periods for ICS system can be in the >15 year timelines.

It's getting better. Buyers are getting smarter and mandating this stuff for new installations, but if a vendor won't certify a patch for the system that operates your billion dollar water injection plant, or gas separation facility, as the operator you're out to dry.

Things like ping of death went away years ago in most business and consumer environments. That type of problem is still a critical issue for some industrial control environments where a malformed packet is enough to cause a failure.

I'm not advocating security through obscurity but some of these systems are remarkably fragile.

Re:hack the planet

Oh, so like the IRS and the PACs?

Re:hack the planet

[ColdWetDog]

Your mom is calling. Dinner is ready.

Re:hack the planet

[CanHasDIY]

Since when does Google define anything? It's a search engine.

Well, I would have said, "Terrorism is defined, at least by the website Google references," but for some reason they stopped putting the referenced site's name or URL with the definitions. I presume Dictionary.com is still the favored source.

Re:hack the planet

Why the snarky tone on family and family dinners, bro? Maybe you don't have a family or Mom of your own? You can come join our family and have dinner with us.

Re:hack the planet

Well you know the French. Always going down, always running up the white flag and always running away.

Re:hack the planet

So why the fuck is all this insecure stuff reachable through public networks.

If it's insecure just put it on it's own isolated network. I leave all the doors inside my house unlocked and if I wouldn't have any doors and windows on the outside, I'm very secure against lockpicking.

Implement a NAC (Network Access Control) and require anyone who has to service your billion dollar water injection plant to do it using dedicated laptops that have no wifi and can only run the software to service the system. Put the laptop back in the company safe when the contractor leaves.

Also put the current supplier on a blacklist for having sold you this crap and buy the next system from his biggest competitor.

I can think of something like this in 5 minutes and I'm not paid millions for it.

It's just lazyness, corruption and greed. Any decent engineer would have prevented 75% of these issues.

oh dear

[cascadingstylesheet]

He acted like a human? We can't have that.

Re:oh dear

[Vitriol+Angst]

I think acting like a human and making course corrections is why "some" of my fellow Americans have issues with the French. They mistrust and fear that thing called empathy and reflection.

Re:oh dear

How is that acting like a human?

The world is safe.

[Thanshin]

withdrew his scheduled talk

That was a close one. Fortunately he withdrew his scheduled talk. Now it's impossible that anyone will ever have that information ever.

Since his lab is under supervision of the French government, he was required to review his findings with authorities.

So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

No problem. Governments only hire people immune to corruption.

Re:The world is safe.

[DMUTPeregrine]

And, you know, no terrorist organization/malicious foreign government/etc has ever built a lab and done research once they know something can be done...

Without knowing what the vulnerabilities are the users can't take steps to protect themselves other than researching to find the vulnerabilities. Attackers will be researching the vulnerabilities anyway. Censorship like this makes people less safe.

Re:The world is safe.

[Tom]

So... There are several people in possession of a information that has a value and that has been publicly identified as valuable.

No problem. Governments only hire people immune to corruption.

There's an important difference. Yes, this information can be obtained by a determined adversary with considerable resources. Making it public, however, would mean every blabbering fool in a cave with an Internet connection has it.

That is quite a difference. We're all constantly going on about how we realize that there's no 100% security - this is just such a case. Making critical information hard to obtain is precisely what security is all about.

Re:The world is safe.

[goddidit]

The French military will use the information for Cybersurrender.

In the 90s...

In the 90s when I was on dial-up tech support we used to make fun of people who were screaming at us that "MY BUSINESS DEPENDS ON THE INTERNET". I still make fun of them... only now it's not so funny.

Still Don't Get It?

[some+old+guy]

All of this stuff about security, privacy, and accountability is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.

The oligarchs who control our governments, security forces, and political parties, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.

Seriously.

Can we just drop all the faux political drama and talk about, I don't know, programming or something?

Re:Still Don't Get It?

[Thanshin]

Can we just drop all the faux political drama and talk about, I don't know, programming or something?

All of that stuff about programming is just academic masturbation. It has been for years. It is not going to change, because those with the power to change it aren't about to.

The oligarchs who control our CEOs, own us completely. It is too late to stop them. It is a waste of time to complain and dangerous to resist.

Jokingly.

Re:Still Don't Get It?

They mentioned "cyber" in the article; therefore, it's Slashdot material.

If some "Hello Kitty" website mentions "cyber" or "hacking" then it would be on the front page here, too.

Re:It's not bad security.

[Chrisq]

The government officials have forwarded the information to the appropriate security people.

Information like that is obviously not for the general public.

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

I don't think he does.

FTA: Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.

The "cyber" part is only a small part of it. The biggest part is the planning for a coordinated human attack on some infrastructure targets and maybe ways on how to deal with first responders (cops) to keep them from doing their jobs. - just a guess.

It's funny that the article shows a power sub station. Those things are out in the open all over the country and some are in unguarded buildings in cities like NYC.

But I'm mean really. Weather and utility screw-ups have done more damage than any terrorist attack could ever do.

the unspeakable knowings of talknosys

unclarity is the keynote wtf

Self-censored?

[Bogtha]

Since his lab is under supervision of the French government, he was required to review his findings with authorities. [...] They told me that this presentation was unsuitable for being public [...] Filiol said his research is now classified.

I know he says that pulling out was the moral thing to do, but describing this as "self censorship" is a bit of a misrepresentation. He showed every tiing ahead with it until the French government got involved, and if he had wanted to go ahead with it, the French government would have stopped him.

Have we become so pre-programmed ?

[Taco+Cowboy]

Agree. If it were a temporary "we want to close this hole first" thing then I wouldn't have an issue, but silencing disclosure seems to be seen as an alternative to securing systems, which is not only wrong but bad security.

When I read what you wrote a feeling of sadness suddenly surged ...
 
Have we become so pre-programmed by TPTB that we start having second thoughts of our own liberties ?

Look around us ... The American journalists are doing exactly the same.

Instead of reporting what needs to be reported, however bad/ugly the news be, they begin to modify the story in such a way that it can "easier be consumed" and/or "not rocking the boat" and/or "not jeopardizing the country", and so on, and so forth.

So much so that Snowden had to share what he had with someone from UK instead of those from the US of A.

Back to the lecture and the so-called "subject" ... Why should he pulled back on what he was going to say just because someone told him that what he said could be used by the terrorists ?

The keyword is "could", which means, it's not certain at all that
A. The terrorists would have the technological know how to carry out the sabotage
B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks
C. The terrorists never suspect that what he said is after all, a "honeypot"

As all of us start to pulling in a little bit of ourselves, and as we continue to pull ourselves in, bit by bit, the big brother doesn't even need to lift his little pinky to achieve total control over our lives.

We are the nerds. We are the engineers. We are the one who build and engineer and find faults within the systems.

And if we start to NOT do what we are born to do - that is, to find faults to the existing systems, then we might just as well never been born.

Re:Have we become so pre-programmed ?

[plover]

Why should he hold back from publishing? You doubted three specific claims:

A. The terrorists would have the technological know how to carry out the sabotage

People already have carried out technological sabotage on various infrastructure elements. These are generally not publicized because there is negative value in making this information public -- creating panic without a solution is the desire of the attacker. Some information about these attacks is shared in industry appropriate discussions, but these are not public forums, and participants are invited only on a need-to-know basis. There are real attacks on automation systems today, and there are dedicated, well-funded organizations backing these attackers.

B. The terrorists could locate the actual weaknesses of the infrastructure to carry out their attacks

With the nature of automation, an attacker does not need to know that "Manhattan Pumping Station #12" at 127.0.0.1 has a login page susceptible to buffer overflow of exactly 1028 bytes. All they have to do is try a 1028 byte overflow on every SCADA system they find, and maybe a few dozen or a few thousand are similarly unprotected. Even if Manhattan's pumping station fixes their login problem, that doesn't help protect the water pumping systems in Peoria, Illinois, or Nome, Alaska. It's important to remember that a terrorist doesn't have to "call his shots" in advance in order to achieve his objectives of spreading fear or panic.

C. The terrorists never suspect that what he said is after all, a "honeypot"

A honeypot is completely ineffective at determining the identity of an attacker. Sounding an alarm that an attacker is present simply means the attacker will disconnect, and move on to the next potential target. A honeypot is only useful for studying the moves of an attacker, and of potentially diverting them away from your own valuable systems. It can't catch them.

I'm actually not disagreeing with you that we need sunshine in order to fix the problems. The bigger problem is that we have a huge, non-centralized infrastructure that can't be fixed all at once. If Nome, Alaska's pumping station is vulnerable, Nome, Alaska is solely responsible for fixing it. There is nothing about owning such a system that means the owners are up to date on all security issues or patches needed. We may think they should be, but it's academic: they're not patched, they are vulnerable, and the cost of publishing the vulnerabilities could mean the destruction of critical infrastructure.

Industry, government, and law enforcement groups have been trying to solve this problem for quite a while, but they're simply not there yet.

Re:It's not bad security.

The government officials have forwarded the information to the appropriate security people.

Information like that is obviously not for the general public.

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

What if the problems aren't fixable?

Look at the Obamacare website rollout - all kinds of visibility, tons of resources, a known problem with literally thousands of working solutions already deployed.

And it was more fucked up than a football bat.

Now imagine some obscure utility infrastructure deployment - little resources, no visibility. I'd venture to say the odds of fundamentally flawed designs and unfixable implementations is pretty good.

Incompetence - it's pervasive.

Lol, sure

By keeping the gaping security holes semi-secret from the general public, we're sufficiently protected from terrorists. It's a flawless plan that has a 100% success rate.

Re:Lol, sure

[Goaway]

Well, do tell. How would it make you more secure to let everyone now about them?

If it were your web browser, you could upgrade it to the latest patched version.

But how do you upgrade your local power station?

Re:Lol, sure

> Well, do tell. How would it make you more secure to let everyone now about them?

Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks? Less than the decade they've been happily pretending the issues didn't exist?

Re:Lol, sure

[CanHasDIY]

But how do you upgrade your local power station?

Over the WAN. Or Sneakernet, for air-gapped systems.

You do realize that power stations are quite often manned, and the ones that aren't (including substations) receive regular visits from utility workers, right?

Re:Lol, sure

[Goaway]

No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.

Re:Lol, sure

[plover]

Wanna guess how long it would take utility companies to get going about fixing these problems if they started losing billions due to attacks?

The private utility companies would likely be in the best position. They already have security teams, they have upgrade paths, and they have incentive.

The city run utilities would be in the worst position. They typically engage an engineering company for a project to oversee the installation of systems, and train a few city workers to do basic monitoring and maintenance. Twenty years later the city still "owns and operates" the system, but they do not have anyone who understands it. Even if they recognize the need to patch it, their skint budgets are determined years in advance by city council members who are under pressure to fix the potholes, keep the police on the streets, and rein in taxes and spending. There is no budget this year or the next for overhauling the water systems infrastructure. These systems are a long way from being patched.

It could easily take several years to fix every system that needs fixing, even amidst the panic a world-wide hacking spree would induce. During those years, unpatched infrastructure installations around the globe would be hacked, with very negative consequences.

Re:Lol, sure

[CanHasDIY]

No, that was not the general "you". It was the specific you. What are you going to do with this knowledge? You can not act on it in any useful way.

That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.

However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it. Not to mention, we've got a bunch of pretty smart people in the public-at-large, so maybe it wouldn't be a terrible idea to let some of them pore over the code to make sure there aren't any other problems these particular researchers happened to miss.

Re:Lol, sure

[Goaway]

That's presuming that NO ONE in the public at large works for a power company. Which, as we all know, is nonsense.

You realise you can actually inform the power company without informing the public at large?

However, that's not the point - putting a vulnerability out in the open forces the people who use those systems to fix them ASAP, rather than just ignoring the problem until after someone exploits it.

The problem is, you can't just fix these things instantly. This isn't like your web browser, as I said. You don't just push out a quick bug fix and install it. These things run terrible ancient legacy code that you don't even know if anyone knows any more. Fixing them can be a very long process. During all that time, you'll be vulnerable, and can't do anything about it.

Re:It's not bad security.

[Goaway]

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

That works for you chat program or web browser.

Doesn't quite work that way for your power grid infrastructure.

Human Arrogance

This is nothing but human arrogance at it's best... This human _thinks_ the information he has is exclusive to him and the no-one else will ever discover it! Let's face it, the first we normally know about militant religious group attacks (I refuse to use the word terror in this context) it a bomb goes off!

Do not under estimate the enemy but more importantly do not OVER estimate your value!

As if...

[sidnelson13]

'It would be considered as an [incentive] to terrorism and would give precise ideas to terrorists on the know-how (the methodology) and the details regarding the USA (but also how to find weaknesses in other countries).

Should we really believe that the so called terrorists don't already know what he's talking about? And why should we believe that, just because it hasn't been exploited on a large, TERRORIST, scale?

I mean, be them terrorists, but very likely, they're not stupid. If he in 4 months "discovered" this, I see nothing keeping some bright young hacker with a strong motive from finding this out too.

Re:It's not bad security.

Doesn't matter. Censorship (this isn't self-censorship at all) is intolerable.

Re:It's not bad security.

Of course security through obscurity works. Since no security system is perfect, all security systems rely on the obscurity of their flaws in order to function. How can people not get this?

Ugh.

[azav]

Can we stop using the term, "cyber" to mean "on or over the internet"?

Re:Ugh.

Just interpret it as an abbreviation for "cybersex", and all these stupid attention-grabbing headlines will look far better.

Re:Ugh.

Cybersex warfare. I'm not sure how that would work but it'd be pretty kinky and/or hillarious.

lets state the obvious here.

Maybe France wants a card they can hold against America? Or a bargaining chip that could be used to gain Americas help on a specific issue.

Re:It's not bad security.

Doesn't matter. Censorship (this isn't self-censorship at all) is intolerable.

Bullshit. This isn't some independent scientist being censored by the government. This is a government employee doing what his boss says is permissible as an employee. I work in the financial industry. We employ a lot of researchers. Their research is proprietary. They just cannot go and openly discuss the results of their research, even if it could be groundbreaking, without prior approval first.

Re:It's not bad security.

The government officials have forwarded the information to the appropriate security people.

Information like that is obviously not for the general public.

No - security through obscurity does not work. You are better off fixing security holes and making it public, preferably with open source so that everyone can see that its fixed and look for other weaknesses.

Although this is a very true statement, it unfortunately does not transfer well into the world of most critical infrastructure systems. Most of the vulnerabilities that we hear about are on systems that have a lot of exposure -- PC's servers, routers, and apps. The systems that drive our power grid, water supply, oil pipelines, traffic control systems, etc. are comprised of custom built machines and specialized software running on commercial systems. The engineers that were responsible for developing these systems are not of the same ilk that do software development for general consumer use. Any change to these systems takes time -- sometimes on the order of years -- to go from design through the (often overly) rigorous safety and testing procedures.

There are at least two factors that contribute to this. First, the developers are often engineers who specialize in the specifics of the environment for which the system will be working in. These engineers are simply ignorant of the security situation that the standard software developer these days is faced with. They don't know how to avoid otherwise "stupid" mistakes, and wouldn't know how to fix them if told. And it doesn't work just to bring in someone that does know how to do these things. That is because secondly, these systems are interacting with very complex mechanical systems. The subtle interactions between different systems and precise timing mean that the addition or removal of a single line of code can indirectly result in a catastrophic failure -- failure that can and does cause destruction of property, injury, and even death. It isn't just a seg fault with a shoulder shrug to worry about. The norms that rule software patching in the software world at large just don't apply well here without significant modification.

This is not so say that this is a good, or even acceptable situation. These systems were never intended to be exposed to the internet, or any other accessible network. The world around the systems has been changing, and as the people that operate these systems have adapted to the need to collect and correlate data in real time, provisions have been made to interconnect these systems to connected networks. A major overhaul is needed to adapt these systems to operate safely in the conditions they have been placed. This takes time, and perhaps even some motivation from experiencing an incident or two. (Let's all hope it doesn't come to that!) In the mean time, the reality is that there will be several situations in which making the information public is far more favorable to those that wish to do harm than those capable of fixing the problems. These things take time to fix, and for that time, it's better (for now) for the weaknesses to remain as hidden as possible.

We're no safer for this, but...

[MiniMike]

We're no safer for his withdrawing the paper, but at least any attacks can't be traced back to info provided by him (even if it's accessible elsewhere). I'm guessing this is a CYA move. Hopefully he shares any info on security flaws with people from the relevant organizations.