[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerabilities in some SCADA server softwares

J. Oquendo wrote:
At what point in time did you try contacting any of the vendors for these issues?

SCADA systems are infamous for being terribly insecure. (You can search the internet for demonstration video of equipment catching fire because of such bugs.) SCADA manufacturers seem to have a firewall mentality that excuses them from needing to be secure. I am not at all surprised to see these bugs, though I do cringe at how embarrassing they are. Heaping some embarrassment on the vendors seems well deserved.

The downside to doing it publicly: Just because SCADA systems communicate with the public internet and so are directly or indirectly vulnerable doesn't mean the people who run them *intended* to hook them up to the internet nor are aware what wire got plugged in or thumbdrive transferred that made the bridge. They probably think they are invulnerable, I bet the Iranians thought so. The manufacturers might release a bug fix and customers (who discovered they have some equipment for which there is an upgrade), maybe won't think they need them.

Also, once I have my clothespin factory, or nuclear plant, up and running smoothly, how attractive is it to start applying "upgrades"? Should I validate them first on my testbed nuclear power plant? It is hard to test a SCRAM adequately. And if my vendor is so incompetent as to write so many security holes into the software in the first place, how much faith should I have in a different programmer, maybe years later, patching code s/he probably doesn't understand as well as the first sloppy programmer did. And who gets this thankless task? The senior programmer who is working on the new project that is already behind schedule, or the new guy? Does the new guy fully understand the build procedure to even make all the parts correctly? Do they even have good source code control to be sure they know what sources the old (and largely working version) was built from? Are the upgrade procedures reliable and understood by the vendor and by the worker the customer will send out on the factory floor with a CD-ROM in hand? (Will that worker stick the CD-ROM in the right slot and reboot the right box?) Maybe. Would I install a stack of SCADA upgrades to *my* functioning factory? Maybe not.

Scary, scary stuff.

Security needs to be designed in, implemented carefully each step along the way, and reviewed. Instead people with "security" in their job title so often seem to think security is firewalls, buying anti-virus support contracts, and requiring use of MS Outlook and Internet Explorer.

-kb, the Kent who will shut up now.