(An earlier post attempt seemed to fail, so if it shows up and seems to repeat much of this, I'm sorry)

As an industry, the SCADA and control systems technology providers have been kicking and screaming as they have been dragged into the modern world of application providers. It is no surprise to hear the argument that disclosure will increase risk, and that the most important thing to do is build the barrier and then work on hardening.

The fact of the matter, is that the business drive is forcing more openness and connections between the corporate and operational businesses, as well as, forcing disparate operational businesses to interconnect. After all that was why ICCP was designed in the first plase.

As for the idea that obsurity helps some level of security here, it's a myth that SCADA and control systems enjoy any such luxury as being technologically obscure. The standards for the most widely used protocols are published standards. Any person that does the work can find: reference implementations, documentation, developer libraries and api's, open source implementations, and many other sources to be able to learn about SCADA and DCS technology. Besides, there are hundreds of power companies, water companies, gas companies, pipeline companies, manufacturing facilities, chemical processing facilities, building maintenance companies, schools, and others that could be the source for an industrious person looking to get access to SCADA technology to test or hack to learn. There is no security through obscurity, because the technology is only obscure to a general attacker, not a dedicated and directed one.

As for disclosure, I am surprised to hear vendors still arguing to keep US-CERT and other oversight organizations from having the information necessary to help others in the industry. The clearing house idea started long ago, and became more formalized for critical infrastructures in 1998. Sure there's been a lot of problems, but you'd think the petty fights would be over by now.

The base fact is that the organizations that help protect our nation and others need to understand the potential risks. Otherwise they won't be able to prepare the proper response to wide-scale attacks when they occur.

The idea that this is the first or even most serious discovered flaw in some SCADA vendors product that has security implications is just naive. This one just points to the fact that more traditional security companies are looking, and they get much of their notoriety by publishing the flaw that they found. This will continue just as it has for every other technology. So vendors can no longer work the problems in a vaccuum as if they don't exist or are unique to the company that discovered the problem.

Best wishes to all who work this problem. It has its barbs, both technical and political.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11396/33906#33906