mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 23 Mar 2011 16:10:43 -0400
On 3/23/2011 11:27 AM, Kent Borg wrote:
Would I install a stack of SCADA upgrades to *my* functioning
factory? Maybe not.
Scary, scary stuff.
Security needs to be designed in, implemented carefully each step
along the way, and reviewed. Instead people with "security" in their
job title so often seem to think security is firewalls, buying
anti-virus support contracts, and requiring use of MS Outlook and
-kb, the Kent who will shut up now.
This is a big fact that many are overlooking. Regardless if the vendor
is a complete and utter moron, patches don't come easy for these
systems. Secondly, many of these systems are very old and are being
"propped' up by new software. There is no running out to deploy PLCs
that can fail because of a glitch.
Security wasn't a factor in the 50s, 60s, 70s and so on as it has become
now. No one foresaw that by even sending one too many ICMPs at a modbus
would crash it. THIS is the reality of SCADA systems. It has nothing to
do with "hiding the bugs hoping they will go away." It isn't about:
"they attacked Linux, then Windows, now SCADA" boo-hooisms. Completely
separate playing field.
Sure these need to be designed properly however the reality is, many of
these systems are old. Many of these systems control the quality of the
water we drink, the pollution leaving a plant, the power being
generated. This isn't: "release it... make em fix it fast... that'll
teach them." I wonder how the author would feel if say a water treatment
plant in his area was affected causing all the water around him to be toxic.
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP
"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett
42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF
Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 23)
Re: Vulnerabilities in some SCADA server softwares Pavel Kankovsky (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)