14 Hours and an Electric Grid

Stage 2

We are pleased to welcome Jason Larsen back to the S4 stage for this session.

Reporters are a chaotic force in the security industry.  They rarely have the background or the time to cover an issue accurately.  At the same time what upper management reads on the Internet shapes many of their choices.  This is especially true when anything touches critical infrastructure.  During the reporting cycle of a very average series of bugs that happened to be in an industrial control device, a reporter concluded that the bugs I had found were only useful to nation-state attackers and that random people could easily take over pieces of critical infrastructure. I thought it was strange that someone could believe both of these incorrect and opposite conclusions except that particular combination makes for the most shocking headlines.  As I was trying to compose my rebuttal, I found I didn’t have any raw public research that someone could use as a measuring stick for an “average” attack.  What does a professional actually accomplish in an average day’s work?

In an engagement shortly afterwards, I was tasked with breaking into a distribution utility in a European country.  While I was there, I took detailed notes on what I was doing for each hour of the engagement.  This presentation will cover the first fourteen hours of that engagement.  Those hours involved analyzing an Ethernet-to-Serial gateway, finding exploitable bugs (yes, patches are now available), writing exploits for those bugs, and constructing an implant that would manipulate some points during a later part of the engagement.  This fit the bill for a very average few days during a very average engagement.

Most of the presentations that make it into conferences are about something new and exciting. I’m definitely not promising any revelations.  Cyber work has been around long enough that we have professionals who break things without it being new and exciting.  This presentation will try and show what a “normal” day looks like and how our view of “normal” affects how we perceive attackers.  Have we let so much James Bond creep into our thought processes that we aren’t really preparing for the 9-to-5 guy that is most probably going to show up at the firewall?

Attacks and Attackers