In my career I have found the loudest naysayer voices find themselves in echo chambers to make themselves feel like thought leaders but are often well in the minority and simply not part of where the real work happens, ostracized by the do’ers for being heroes in their own mind.
My advice to the folks who find themselves trapped in those echo chambers is to step out of the social media bubble when necessary and look into the much larger community and partake in it and move the needle forward. In all corners of this infosec industry you’ll find the do’ers
It’s appropriate to have informed discussion about what the best paths forward are. But if you find yourself critiquing more than working - ask yourself what path you’re on. Everyone’s biases, that’s ok, but make sure you’re building up more than tearing down or you’ll be alone
I have always found that those closest to the mission keep me grounded. Find work and go do it. Find those working and go join them. The trolls, those that gain quick laughs at others’ expense, those that want to amplify only what doesn’t work except their pet projects: ignore em
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Yesterday in the Congressional hearing on homeland cybersecurity @C_C_Krebs and @DAlperovitch very kindly called out @DragosInc as a good example/company to work with in ICS/OT. Not “buy Dragos stuff” but “here’s a good example of an approach” and I just want to say thanks
We’ve been afforded a really cool place in the community to be allowed to focus on ICS/OT and have a ton of support from around the community.
What mostly stood out to me on this topic is that both recognized the unique approach required for ICS (Dragos or not)
Enterprise security is very important. And there’s lots to learn from them for ICS. But ICS security is different especially when dealing with physical systems. Understanding the unique risks, systems, etc all matter but most important is understanding the mission and priorities
The fact that so many are focusing on the water plant using Windows 7, which had nothing to do with how the attack was done, is interesting. Folks have an obsession with vulnerabilities and while they can matter a lot it is a fundamentally different value prop in ICS.
The attack took advantage of TeamViewer. In this instance the OS didn’t matter. The TeamViewer application was Internet facing and available. The attack took advantage of the HMI, that’s not a software vuln issue, they just did what operators could do on the system natively
There’s a lot of “insecure by design” systems in ICS. Meaning most of the things you want to do you don’t need a vulnerability or exploit to do.
Also a lot of IT security is system or data security, protect the system don’t let folks get root, encrypt the data, etc. ICS is not
I know there’s a desire to calm people down and have some confidence, but I would advise anyone pretending they have an understanding of the scope of the SolarWinds compromise to dial it down a bit. It’s going to take time, could be more accesses, and our collection isn’t great.
E.g. “right now there are only $X orgs that are impacted” is based on very limited visibility with an expectation we understand all the compromise routes and adversary command and control capabilities. We simply don’t know that to be true and won’t in the first couple weeks
Should average citizens be freaking out? No, this isn’t war stop the hyperbole. From a national security perspective though the President and Congress must have confidence in the integrity of its critical and defense critical sites. We’re no where near “we understand this” yet.
Fun to be on this episode of @DarknetDiaries - the heroes of the story IMO are Julian & @naserdossary who are interviewed as well and were incident responders on the case. Credit to to the @DragosInc intel team for their hard work too (special thx for @ReverseICS@mayahustle)
I think the story really got carried away and at some point Saudi Aramco was named as the victim when in reality they were the first responders helping out their community. Kudos to them and the other unsung heroes. Lots of teams come together to help in such events
I’m thankful Julian and @naserdossary have since joined the Dragos team. Our team is better for having them on it.
I’ve had a few folks reach out to me because of some of my employees’ comments in the media and on their social media apparently expecting me to censor them or take some action. Some general end of day stressed thoughts: (1/x)
First, I’m prior military, please do not play the “support our troops” card on me. Our military has a wide set of diverse views not supporting one position or party. Many support military usage here and many sont and are following lawful orders but ready to refuse unlawful ones
Second, our customers are damn lucky my firm has divsere views. Lack of diversity is the enemy of success. Diversity isn’t a PC topic to us, it’s not only morally right, but it is selfishly necessary to counter strategic well funded adversaries in highly ambiguous scenarios.
The story of hardware backdoors from China found in an electric transformer at a US utility is continuing to gain attention; but it doesn’t deserve to. There has only been 1 source of the claim who doesn’t even work at a utility and he has provided 0 evidence.
The story especially with its supply chain angle is sensational and touches on long held fears in DC and elsewhere. But their fears that have never manifested. So there’s folks who really want to believe this is true. But there’s no evidence of it now nor has there been.
Joe (the individual making the claim) is a really good engineer and has been very important to the development of the ICS security community, but he often has sensation claims that turn out to be very inaccurate, unsupported, or twisted non maliciously for other purposes.