Nowadays, one of the most popular and dangerous idea in the security world is that once you have learned to think like an hacker you will also be able to build robust system. This is the idea lying at the foundations of those capture the flag exercise where someone teach some poor students to crash a system. In this way the students will also learn, in some esoteric and mysterious way, how to build an unhackable system.
There are bad news for the supporters of this idea because the elite cia unit to develop hacking tools failed to secure its own system and this resulted in a massive leak of these tools. Furthermore, according to The Washington Post –
“Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force concluded.”
This interesting counterexample remind us that a command team that can destroy a bridge is not the best team to build one. For some mysterious reason, this trivial, widely accepted engineering principle should not hold for cyber security. To solve this mystery we should consider that we know how to build a robust system, we have tool to measure this robustness but these approaches are more expensive and less romantic than asking for some expert 🙂 opinion from hackers or penetrator testers.
If something goes wrong, we will claim that “any system can be attacked”.
Most OT systems include legacy equipment not designed to be connected to the internet nor defend against malicious cyberactivities. This is particularly