Archive for the ‘SCADA’ Category

The Register has a thing this morning about full disclosure as it relates to SCADA networks; it made for interesting reading, and I highly recommend checking it out. Basically, they point out a few things about industrial networks that many of us have suspected all along: specifically, that vendors in that sector aren’t interested in fixing flaws in their products and that clients aren’t that interested in getting fixes from their vendors. Check it out:

“The vendors were sticking together saying that (researchers) didn’t need to be involved with SCADA flaws,” he said. “‘It puts people and infrastructure in danger,’ they said.” Moreover, many vendors did not appreciate the involvement of the US Computer Emergency Readiness Team (US-CERT), the nation’s response group tasked with managing the process of vulnerability remediation for critical infrastructure…”

They believe that fixing vulnerabilities “puts people in danger.” Fixing bugs is dangerous? Maybe it’s their attitude that’s dangerous; folks working within an industrial context who claim they don’t have to worry about finding or fixing vulnerabilities because of the fact that control networks are “closed off” (segregated) from other networks have a few things to learn about human nature… You see, while the intent might be that these networks stay closed off from each other, human nature dictates that they not stay that way. There are all sort of reasons why individuals within a firm might wish to allow connectivity between their control network and their corporate intranet; maybe they want to allow data collection from a host on the intranet or maybe they want remote administration capability – there is all sort of incentive to allow this connectivity to take place. With enough incentive, human nature will find a way to make it happen – in fact having worked on engagements within this sector, I can testify that connections outside the control network happen. Of course, physical security isn’t always where it needs to be at some of these places either…

So here’s what I’m thinking… are we ready to bet the farm on the fact that these networks aren’t connected? Or maybe should we think about trying to fix some of the issues that these industrial vendors seem so unwilling to acknowledge? In this area where the consequnces of poor security are loss of life and loss of critical infrastructure, it seems to me that these vendors should get over themselves and work to make the environment as safe as possible – it seems to me that sticking your head in the ground and refusing to work with CERT or researchers is counterproductive…