[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Vulnerabilities in some SCADA server softwares
On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
I think you have it wrong.
Public exposure increases the visibility, and therefore customers
install the patches quicker.
Without public visibility, they will keep running the old code.
Whilst I understand the whole "stick it to the vendor argument", and now
SCADA systems seem to be fair game to security researchers wanting to
make a name for themselves in this high profile field.
A lot of people are failing to see the vendors customer side of things.
Industrial Control Systems (ICS), SCADA users, historically have their
focus on availability (you don`t want you
electricity/water/petrocehmicals being cut now do you) and safety (no
one want to die making sure you get your
electricity/water/petrochemicals), and security was never an issue
because the SCADA systems were air gapped and the security needs were
different that IT security. With Business pressures this air gap has
gone away, but the original requirements of availability and safety
still hold. And whilst you can all say that scada systems are "broken"
you are failing to understand what they are designed for and what the
vendors and customers priorities are.
ICS/SCADA engineers also tend to be a wary and cautious lot particularly
with changes to their systems, the last thing they need is a patch that
breaks their functionality, and so even with patches a lot of testing
A SCADA system isn't something that you can simply run the equivalent of
Windows Update, reboot the machine and all will be well. Because the
safety and availability requirements, upgrades can take a lot of
planning and a lot of time to impliments. I've heard of upgrades taking
anything from a couple of hours to a couple of years!
Because no one wants their electricity cut off just to install the next
round of patches.
Now obviously none of this is ideal, but with the issues of patch
management within an ICS, full disclosure can cause a lot of problems
that whilst the vendor could respond to quickly will cause a lot of
grief for the end user, through no fault of their own, or the vendor.