Re: Vulnerabilities in some SCADA server softwares

On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists,
that threat is increased by public exposure of unmitigated attack
I think you have it wrong.

Public exposure increases the visibility, and therefore customers
install the patches quicker.

Without public visibility, they will keep running the old code.

Whilst I understand the whole "stick it to the vendor argument", and now SCADA systems seem to be fair game to security researchers wanting to make a name for themselves in this high profile field.

A lot of people are failing to see the vendors customer side of things. Industrial Control Systems (ICS), SCADA users, historically have their focus on availability (you don`t want you electricity/water/petrocehmicals being cut now do you) and safety (no one want to die making sure you get your electricity/water/petrochemicals), and security was never an issue because the SCADA systems were air gapped and the security needs were different that IT security. With Business pressures this air gap has gone away, but the original requirements of availability and safety still hold. And whilst you can all say that scada systems are "broken" you are failing to understand what they are designed for and what the vendors and customers priorities are.

ICS/SCADA engineers also tend to be a wary and cautious lot particularly with changes to their systems, the last thing they need is a patch that breaks their functionality, and so even with patches a lot of testing takes place.

A SCADA system isn't something that you can simply run the equivalent of Windows Update, reboot the machine and all will be well. Because the safety and availability requirements, upgrades can take a lot of planning and a lot of time to impliments. I've heard of upgrades taking anything from a couple of hours to a couple of years!

Because no one wants their electricity cut off just to install the next round of patches.

Now obviously none of this is ideal, but with the issues of patch management within an ICS, full disclosure can cause a lot of problems that whilst the vendor could respond to quickly will cause a lot of grief for the end user, through no fault of their own, or the vendor.

Relevant Pages

  • Re: Risk/Threat Assessments for Utility specific software/hardware
    ... Most water and electric utilities use SCADA systems, ... Control and Data Acquisition systems. ... The data servers communicate with devices in the field ... This list is provided by the SecurityFocus Security Intelligence Alert ...
  • Re: Vulnerabilities in some SCADA server softwares
    ... The downside to doing it publicly: Just because SCADA systems communicate with the public internet and so are directly or indirectly vulnerable doesn't mean the people who run them *intended* to hook them up to the internet nor are aware what wire got plugged in or thumbdrive transferred that made the bridge. ... The manufacturers might release a bug fix and customers (who discovered they have some equipment for which there is an upgrade), maybe won't think they need them. ... And if my vendor is so incompetent as to write so many security holes into the software in the first place, how much faith should I have in a different programmer, maybe years later, patching code s/he probably doesn't understand as well as the first sloppy programmer did. ...
  • Re: Vulnerabilities in some SCADA server softwares
    ... Security needs to be designed in, ... THIS is the reality of SCADA systems. ... I wonder how the author would feel if say a water treatment ... plant in his area was affected causing all the water around him to be toxic. ...