Hi Luis,
I was browsing through the book preview on Amazon and quickly realized what the book refers to as Cyber-Physical attacks. The company I work for has a group that deals primarily with SCADA-related products and services and I've heard it mentioned in passing over the years. Most people's exposure and awareness to things like this come mostly from what they see in the movies like Bruce Willis' "Die Hard 15" or whatever variation of the title that movie had that co-starred Justin Long, with Timothy Olyphant and Maggie Q as the antagonist cyber-physical terrorists/blackmailers. I'm sure reality is far from what's depicted in those movies. On the other hand, life soon catches up to fantasy so I guess we'll never know how long it will be before those kinds of scenarios will be possible at the kind of scale that the folks in Hollywood like to relieve us of our money with.
Anyway, I was wondering if, from a
testing point of view, there were any unique problems with testing the robustness and readiness of the response to cyber-physical attacks. I mean it's not like everybody can afford to have an entire regional grid that's isolated from the "production" grid on which to try things out, right? What kind of challenges does having to test in production most of the time present? Of course, in my ignorance, that's what I assume happens. If not, then how do you test to scale? Hypotheticals and projections are fine but everybody knows even the best laid plans seldom survive first contact with the enemy. With the advent of IoT and the ubiquity of connectivity in almost everything, including the kitchen sink, how do security professionals even keep up with all the advancements in the field? The recent DDoS attacks involving connected devices like Home DVRs (and maybe even some refrigerators and toasters? Just rumors?) are just the beginning, I'm afraid. Is this a losing battle from the start?
Sorry for asking so many questions in one post. Feel free to pick out just the ones you feel most strongly about. I'll give you a chance to respond a little before my next barrage of questions.
