mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 24 Mar 2011 11:12:07 -0700
A lot of people are failing to see the vendors customer side of things.
Industrial Control Systems (ICS), SCADA users, historically have their
focus on availability (you don`t want you electricity/water/petrocehmicals
being cut now do you) and safety (no one want to die making sure you get
your electricity/water/petrochemicals), and security was never an issue
because the SCADA systems were air gapped and the security needs were
different that IT security.
Exactly the same arguments could have been brought up 15 years ago
against the then-disruptive and novel disclosure of vulnerabilities in
Unix systems or in Windows ("you can't just expect to shut down a bank
and roll out potentially disruptive security updates every week!"
coupled with "vendors certainly know what's best for us"). Back then,
commodity OSes have been designed insecurely because of similar
business considerations, and not because of malice.
The roots of BUGTRAQ are with the movement to end bug secrecy of that
era. It caused some pain, and also caused some significant long-term
improvements by convincing the public and the vendors that security is
something you simply can't afford not to care about.
Views on the cost / benefit balance of this process are varied, of
course, but knowing what I learned thanks to this process, I sure
wouldn't want to be using any of the operating systems available back
Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 23)
Re: Vulnerabilities in some SCADA server softwares Pavel Kankovsky (Mar 24)