Allow me restate. A properly secured and engineered control system is very difficult to break into from the public domain. If it were trivial, the toilets wouldn't flush, the lights wouldn't stay on, our food would be suspect and travel (anywhere) would be atrocious.

THAT said, in a test environment or in a lab, it is quite trivial to get the devices to die all manners of death. Killing a single device in a whole system should not result in a catastrophic failure - this would be a particularly poor engineering decision, and not necessarily a security failure.

Don't forget, these devices were designed for a single purpose - reliable control. If you engineer your network to expose these devices, then it's a user error.

Frankly, Microsoft and other companies have put so much junk into the PC in an attempt to "safeguard" the user. It would be a bad thing to "crapify" a PLC or other controllers with junk to keep the controls engineer safe.

Lastly, p0wer-p3ntester, this isn't a dick measuring contest or an event to see who's balls are bigger. Spreading FUD is an industry issue. And as each of us as responsible security professionals in this space, it's our obligation to work together, rather than throwing stones. Disagreement is perfectly fine and encouraged, but a plebeian response does nothing but separate the security folks and prevents us from focusing on the issues.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11465/34612#34612