Grid insecurity - and how to really fix this shit

You don’t need to be nation state backed, sophisticated, or even organized to take down the grid.   Anyone can hack ICS/SCADA (even Donald Trump’s 400 pound guy sitting on his bed!).  And the thing is, for years, we’ve been talking about finding 0-day in the grid, water treatment facilities, and other critical infrastructure.  For the past ten or so years, con talks have focused on two things: all the fun 0-days, and the thousand products you should buy to be protected.  But they never address the complexity of the actual problem.  ICS is made up of endless numbers of components from just as many manufacturers – vulnerabilities are just the result of either incomplete systems design, or poor implementation.  Most weaknesses are discovered at interfaces between software providers, coding languages, and system component boundaries; where vulnerabilities are introduced by the sum of all parts. Protecting ICS/SCADA is a systems level problem – and splitting it up into distinct pentests is not the solution.  It means never solving the end-to-end issue, and ultimately cannibalizing an organization’s security budget by applying band-aids, instead of fixing the systemic issue.  
This talk will not be another talk about how f*cked the problem is, instead it’ll reframe the issue as a systemic one, and talk about ways to fix it end-to-end.
Comments