05 December, 2006

Fact #4 - Bad Guys Know

The Bad Guys Know
List of Facts

The bad guys are now realizing that there is something here.

When I first wrote this fact more than 2 years ago it was new. Now I don't know how anyone could deny it. They have found SCADA plans with terrorists. In case you think this is a new phenomonon that is only occuring because of the current hype it was talked about back in 2002 with reconisence to back it up then and even before.

For some reason I keep running into people who say we shouldn't talk so loud about it.

Well two replies to that.

Worms and malware don't care what I say.
The real bad guys have known for years.

If you are involved in engineering control systems and you are not already developing a layered approach to security you will have a problem sooner or later. You might put it off by delaying getting scans to see how well you stand up or by stating that "we don't connect our SCADA systems to the IT network" but if you have IP connected systems (and more and more organizations do) sooner or later you'll deal with it.

It is best to deal with it in a controled environment.


Jake Brodsky said...

The bad guys do know, Jim, I agree there. What they also know is that there are even softer targets than SCADA systems. The article you cited noted that the terrorist was busy with explosives and weapons --not SCADA hacking tools.

As the old saying goes: You don't have to run faster than the bear --you only have to run faster than your fellow campers.

Jim C said...


A fact I often point out in meetings.

On the IT side my favorite corollary to this is the "podSlurping" and removable devices conversation.

My question there. Do they have internet access?

I would note though that the second link I had pointed to actual attempts at the systems.

Another item to point out is that it is a lot harder to get caught at a coffee shop in Iran or Pakistan than trying to buy ammonium nitrate in the US.

Less effective but less risk.

Just because they have other options doesn't mean that protection isn't required.

It does mitigate the risk though.