Die Hard 3 – Our Infrastructural Systems

Die Hard 3 – Our Infrastructural Systems

Society has one very critical technological underpinning that goes un-noticed by most people, but not hackers. If you’ve ever seen the most recent die hard movie then you’ll have an idea of what I am talking about. That is, the world’s critical infrastructures are vulnerable to attack by hackers (scary but true). These infrastructures include but are not limited to Water, Power, Communications, Transportation, Chemical Plants, etc.

Critical Infrastructure existed well before the advent of the Internet. The systems that were deployed to support the infrastructure were designed for stability, reliability and redundancy. These are computer systems that are used to control massive pumps, generators, cooling pools, the flow of gas, and other critical devices. A failure in one of those computer systems can translate to a failure in one of those critical devices.

When Infrastructure’s IT Infrastructure was first built, remote measurement devices would report data back home via dedicated network connections. In some cases people would physically go to remote locations and take readings and report those readings back to the headquarters. Recently however, Infrastructural businesses realized the cost benefit of using the Internet in place of the dedicated lines and the traveling meter-reading engineers. What they didn’t consider what the seriousness of the Internet threat, and the capabilities of those who create the threat.

As a result Infrastructure in every developed country contains critical technological vulnerabilities that have yet to be discovered. Those vulnerabilities if exploited successfully could result in damages ranging from basic system outages to the deaths of many people. This is the cost of a premature reliance on technology that people don’t fully understand.

To make matters worse the solution isn’t easily implemented. The problem is clouded with political noise, egos, and old time engineers that resist change. Some of them might actually fear for their jobs as they well should if in fact their skills are not unique. Others should fear for their jobs because they have neglected to protect critical infrastructure from the hacker threat. This problem isn’t a new problem and its existed for quite a while now, but we’re working to turn up the heat.

Yet still its not quite that simple. Many of these systems can’t just be patched, some of them are upgraded with fork lifts. The ones that can be patched, can’t still be patched because for them to go off-line means that you lose power, water, emergency services etc. Worse yet, if a patch is applied and that patch fails 90 days after its running, then it can kill people. So the threat is literally two sided. The fix creates a threat, and the hackers create a threat. How to resolve this without having either threat align with the risk?

If you are interested in following the conversations then you should subscribe to the SCADA Sec mailing list. The list is made up of a wide range of IT experts including Security Specialists, Control System experts, and Control System Security experts. As a group we’ll solve this problem, but if we keep arguing about semantics then we’re all in trouble.

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.