BugTraq
RE: Vulnerabilities in some SCADA server softwares Mar 23 2011 05:03PM
Jim Harrison (jim isatools org) (1 replies)
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 06:13PM
Theo de Raadt (deraadt cvs openbsd org) (3 replies)
Re: Vulnerabilities in some SCADA server softwares Mar 24 2011 05:50PM
CJC (parttimesecurityguy gmail com) (1 replies)
On 23/03/2011 6:13 PM, Theo de Raadt wrote:
>> If *any* threat exists,
>> that threat is increased by public exposure of unmitigated attack
>> methodology
> I think you have it wrong.
>
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
>
> Without public visibility, they will keep running the old code.
>

Whilst I understand the whole "stick it to the vendor argument", and now
SCADA systems seem to be fair game to security researchers wanting to
make a name for themselves in this high profile field.

A lot of people are failing to see the vendors customer side of things.
Industrial Control Systems (ICS), SCADA users, historically have their
focus on availability (you don`t want you
electricity/water/petrocehmicals being cut now do you) and safety (no
one want to die making sure you get your
electricity/water/petrochemicals), and security was never an issue
because the SCADA systems were air gapped and the security needs were
different that IT security. With Business pressures this air gap has
gone away, but the original requirements of availability and safety
still hold. And whilst you can all say that scada systems are "broken"
you are failing to understand what they are designed for and what the
vendors and customers priorities are.

ICS/SCADA engineers also tend to be a wary and cautious lot particularly
with changes to their systems, the last thing they need is a patch that
breaks their functionality, and so even with patches a lot of testing
takes place.

A SCADA system isn't something that you can simply run the equivalent of
Windows Update, reboot the machine and all will be well. Because the
safety and availability requirements, upgrades can take a lot of
planning and a lot of time to impliments. I've heard of upgrades taking
anything from a couple of hours to a couple of years!

Because no one wants their electricity cut off just to install the next
round of patches.

Now obviously none of this is ideal, but with the issues of patch
management within an ICS, full disclosure can cause a lot of problems
that whilst the vendor could respond to quickly will cause a lot of
grief for the end user, through no fault of their own, or the vendor.

[ reply ]
Re: Vulnerabilities in some SCADA server softwares Mar 24 2011 06:12PM
Michal Zalewski (lcamtuf coredump cx)
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 10:51PM
bugtraq cgisecurity net
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 06:36PM
J. Oquendo (sil infiltrated net) (4 replies)
Re: Vulnerabilities in some SCADA server softwares Mar 24 2011 11:13AM
Willy Tarreau (w 1wt eu)
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 08:43PM
Jamie Riden (jamie riden gmail com)
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 07:33PM
Simple Nomad (thegnome nmrc org)
Re: Vulnerabilities in some SCADA server softwares Mar 23 2011 07:03PM
Theo de Raadt (deraadt cvs openbsd org)


 

Privacy Statement
Copyright 2010, SecurityFocus