RE: SCADA providers say security not our problem

["Drew Copley" <dcopley () eeye com>]

Excellent post, thanks for sharing the info.

> -----Original Message-----
> From: full-disclosure-admin () lists netsys com 
> [mailto:full-disclosure-admin () lists netsys com] On Behalf Of 
> Michael Scheidell
> Sent: Wednesday, August 20, 2003 7:41 PM
> To: full-disclosure () lists netsys com; intrusions () incidents org
> Cc: snpmarq () securitynewsportal com; 
> bugtraq () securityfocus com; Content@ITtoolboom
> Subject: [Full-disclosure] SCADA providers say security not 
> our problem
>
>
> The Factory automation and SCADA systems providers have not 
> shown much willingness to take any responsibility for the use 
> (or misuse) of their systems, having washed their hands of 
> the security and stability functions once the system is 
> declared 'on line', saying that the security of their systems 
> in ow in the hands of the end-user.
>
> This attitude amoung major manufactures of FA and SCADA 
> systems has in the past lead to break downs ("see Ohio Power 
> plant shut down by slammer worm" 
> http://www.security-focus.com/news/6767 ) 
>
> I have contacts in the FA/SCADA field, having run the worlds 
> largest distributor of QNX (an RTOS used by FA/SCADA systems) 
> and having been the Director of Business Development for 
> VenturCom (they have a product called 'RTX' which is an RTOS 
> kernel for Windows, and they 'invented' embedded
> NT) 
>
> During my years in both companies I have seen how and what 
> Windows can be used for (and what its forced to do) and I can 
> tell you by experience that while DCOM on NT may not be used 
> directly for real time control functions, it is in fact used 
> to do supervisory and monitoring ('traffic cop') type functions. 
>
> Originally, FA and SCADA systems ran on proprietary backbones 
> like the Allen-Bradley links, 4 wire control and signaling systems.
>
> With the advent of 10/100 and 1GB switched networking, many 
> control systems are now using ethernet for control.  Its 
> cheaper to install and maintain and comes with it the promise 
> of direct backoffice and manufacturing systems integration. 
>
> However, with the combination of COTS (commercial off the 
> Shelf) systems like Windows, and transports like ethernet, 
> many once isolated FA systems are now combined, integrated, 
> reachable (and hackable) via administrative networks that 
> themselves have full internet access.
>
> Should the installers and manufacturers of these systems make 
> sure they are compatible with current service packs and 
> patches?  Should they warn their clients that under no 
> circumstances should these systems ever be linked, cross 
> linked, even thorough a firewall to the corporate network? 
> What about their promise of integration? integrated back 
> office and manufacturing functions?  How will they do that 
> without direct links? 
>
> Should the purchaser of these systems be required, or even 
> permitted to upgrade an patch these systems? 
>
> Who is responsible for damages if (and when) these 
> unprotected systems get hacked? 
>
> If a SCADA manufacturing company installs a (currently 
> patched, reasonable
> secure) system in a health care or medical manufacturing 
> company, and integrated back office functions include patient 
> data, who is going to pay the HIPAA fines _WHEN_ that system 
> gets hacked by a multi-mode worm?  Once that gets in via 
> email on the administrative side, or is brought in via the 
> vendor themselves during installation and testing functions? 
>
> What do you think of this response by a major manufacturer of 
> SCADA systems?  Is it up to the end customer to keep these 
> systems isolated? And if so, should these companies stop 
> pushing the ease of integration and integrated back office 
> functions and just admit that there can be no connectivity 
> between your internet accessible administrative network and 
> the critical manufacturing system? And how reasonable is that 
> in light of recent revelations of failures at that above 
> mentioned Ohio power plant?
>
> "   But it is impossible for us to keep our SCADA systems 
> secure.  Once we
>     get a version out there, and it is installed performing 
> some function
>     like power plant automation, customers don't mess with 
> it.  They only use
>     it.
>
>     It will become vulnerable over time due to stagnant 
> technology.  Our
>     focus, and your focus, needs to be on secure access to 
> it.  Not making
>     the product itself bullet proof.
>
>     Interesting questions about the liability.  Contracts 
> would need to
>     be structured to highlight Best Efforts on security, not 
> perfection.  The
>     bottom line is that a service provider will give you more security
>     because they live it and it is their focus."
>
> What is your opinion? what you you tell your HIPAA, or SEC 
> regulated company if their vendors refused to take 
> responsibility or even washed their hands once the system is 
> installed?
>
> --
> Michael Scheidell, CEO 
> SECNAP Network Security
> Main: 561-368-9561 / www.secnap.net
> Looking for a career in Internet security? 
> http://www.secnap.net/employment/
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html