Bugtraq mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: CJC <parttimesecurityguy () gmail com>
Date: Thu, 24 Mar 2011 17:50:42 +0000
On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists, that threat is increased by public exposure of unmitigated attack methodologyI think you have it wrong. Public exposure increases the visibility, and therefore customers install the patches quicker. Without public visibility, they will keep running the old code.
Whilst I understand the whole "stick it to the vendor argument", and now SCADA systems seem to be fair game to security researchers wanting to make a name for themselves in this high profile field.
A lot of people are failing to see the vendors customer side of things. Industrial Control Systems (ICS), SCADA users, historically have their focus on availability (you don`t want you electricity/water/petrocehmicals being cut now do you) and safety (no one want to die making sure you get your electricity/water/petrochemicals), and security was never an issue because the SCADA systems were air gapped and the security needs were different that IT security. With Business pressures this air gap has gone away, but the original requirements of availability and safety still hold. And whilst you can all say that scada systems are "broken" you are failing to understand what they are designed for and what the vendors and customers priorities are.
ICS/SCADA engineers also tend to be a wary and cautious lot particularly with changes to their systems, the last thing they need is a patch that breaks their functionality, and so even with patches a lot of testing takes place.
A SCADA system isn't something that you can simply run the equivalent of Windows Update, reboot the machine and all will be well. Because the safety and availability requirements, upgrades can take a lot of planning and a lot of time to impliments. I've heard of upgrades taking anything from a couple of hours to a couple of years!
Because no one wants their electricity cut off just to install the next round of patches.
Now obviously none of this is ideal, but with the issues of patch management within an ICS, full disclosure can cause a lot of problems that whilst the vendor could respond to quickly will cause a lot of grief for the end user, through no fault of their own, or the vendor.
Current thread:
- RE: Vulnerabilities in some SCADA server softwares, (continued)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 23)
- Message not available
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
- Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)