Close

Hack Chat Transcript, Part 4

A event log for SCADA Security Hack Chat

There's a lot of infrastructure out there

dan-maloneyDan Maloney 07/14/2021 at 20:350 Comments

eireann.leverett1:14 PM
Bingo

Patrick C Miller1:14 PM
In addition to many other things. Seems like a simple idea but why the hell haven't I ever thought of that?

anfractuosity1:14 PM
are there any recommended formats for SBOM?

eireann.leverett1:15 PM
I suspect you did, but there's too many threads to chase

eireann.leverett1:15 PM
I got a year of free thinking at airbus

eireann.leverett1:15 PM
it did take about 6 months to break the noise floor of the predictions (augmented dickey fuller suggested 3 month was a limit)

Patrick C Miller1:16 PM
No... I love to claim I did but that one skipped me. I need to add this idea to some models.

Dick Brooks1:16 PM
@anfractuosity - yes SPDX and CycloneDX, https://www.ntia.gov/sbom

eireann.leverett1:16 PM
turns out old WW2 stats and little

eireann.leverett1:16 PM
Little's law did the tirck

eireann.leverett1:16 PM
Airbus owns the IP, but we agreed to publish most of it, and I can talk freely sometime about where it will go.

Patrick C Miller1:17 PM
@anfractuosity there are a few formats/frameworks. Depends on how you will be using it. Some are also in development.

eireann.leverett1:17 PM

https://www.eia.gov/todayinenergy/detail.php?id=35652

EIA

Average frequency and duration of electric distribution outages vary by states

Interruptions in electricity service vary by frequency and duration across the many electric distribution systems that serve about 145 million customers in the United States. In 2016, customers experienced an average of 1.3 interruptions and went without power for four hours during the year.

Read this on Eia

andypugh1:17 PM
Pylons are nice, but I miss motorwaysteps.co.uk. A website about the infrastructure access stairs on motorways (freeways). They all need to be designed, and cost many tens of thousands of (currency units) each. And you don't see them until someone mentions them to you.

eireann.leverett1:18 PM
Love this!

Dan Maloney1:18 PM
EIA is a great resource. I used them for the piece I wrote on petroleum pipelines, and a new piece coming out tomorrow on "Black Starts" for the grid

eireann.leverett1:18 PM
Is DNS infrastructure? :D

eireann.leverett1:19 PM
oooooh, I love that you're writing a blackstarts piece

Dick Brooks1:19 PM
DNS is Critical infrastructure I'd say!

Patrick C Miller1:19 PM
@anfractuosity I am partial to the SBOM Energy stuff being done through the DOE/INL/NTIA

eireann.leverett1:19 PM
You might like this simulation approach we made: https://onlinelibrary.wiley.com/doi/10.1111/risa.13291

Dan Maloney1:19 PM
Thanks, I hope I do the topic justice. I only have 1500 words or so, tough to put in much detail.

eireann.leverett1:19 PM
Not so much about blackstarts but estimating the impact of outages on say transport

Galactic creature 421:20 PM
@eireann.leverett Eye of the Lucifer…. The hotest hell…. (would be my answer) 🤣🤣🤣

Dick Brooks1:20 PM
My company is participating in the SBOM POC hosted by INL, usign the SAG-PM software representing a well known utility in hte mid Atlantic area

eireann.leverett1:20 PM
doing intersectoral stuff is super hard, but the oxford team came up with a cool voronoi decomposition to estimate substation outage effects on train stations

Dick Brooks1:22 PM
I think aDoulus is wrokign with OSIsoft on the software vendor side. REA is working on the consumer side of the SBOM POC

Patrick C Miller1:22 PM
aDolus is doing some great stuff.

eireann.leverett1:22 PM
I guess if the talk is over, me and Patrick can have a whisky?

eireann.leverett1:23 PM
I've got an "Emergency Decadence" at hand.

Patrick C Miller1:23 PM
Cheers, old friend. We need to do that sometime soon.

eireann.leverett1:23 PM
Indeed

Dick Brooks1:23 PM
I agree @Patrick C Miller they are one of only a handful oc C-SCRM vendors with the ability to process NTIA SBOM's. Microfot gobbled up Refirm Labs and IBM gobbled up BoxBoat. C-SCRM is becoming a thing

Galactic creature 421:23 PM
A wiseman said: To make critical damage to electricity distribution, with still small effort and costs -> buy 2 offroads (Mitsubishi L200 e.g.), and use them to physically attack 2 big substations…. No APT, expensive research…..

eireann.leverett1:24 PM
cool probability site for you risk nerds

eireann.leverett1:24 PM

https://seeing-theory.brown.edu/

BROWN 
DANIEL KUNIN

Seeing Theory

A visual introduction to probability and statistics.

Read this on Brown

eireann.leverett1:24 PM
Our trust in infrastructure is inversely proportional to how well we understand it

Dick Brooks1:25 PM
Have started looking into use of Bayes Theorem for vulnerability analysis - look interesting.

eireann.leverett1:25 PM
It is powerful stuff, applying it is tricky. I think it's just about getting to know bayes as a tool regularly.

eireann.leverett1:26 PM
It is very useful in many contexts

Dick Brooks1:26 PM
Hoping to know more shortly.

eireann.leverett1:27 PM
If you ever need us, I run a small cyber risk consultancy as well as doing cyber insurance.

eireann.leverett1:27 PM
I'm bringing another academic on board soon who is looking for quantiative problems to solve.

Dick Brooks1:28 PM
Will definitely keep that in mind - it's hard to find people with stats and cybersec proficiency

eireann.leverett1:28 PM
We write code too, a more accurate name might be a think-code-do tank.

Discussions