lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4D8B8472.5060300@googlemail.com>
Date: Thu, 24 Mar 2011 17:50:42 +0000
From: CJC <parttimesecurityguy@...il.com>
To: Theo de Raadt <deraadt@....openbsd.org>
Cc: Jim Harrison <jim@...tools.org>,
	"'Luigi Auriemma'" <aluigi@...istici.org>,
	"'Michal Zalewski'" <lcamtuf@...edump.cx>,
	"'J. Oquendo'" <sil@...iltrated.net>, bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

On 23/03/2011 6:13 PM, Theo de Raadt wrote:
>> If *any* threat exists,
>> that threat is increased by public exposure of unmitigated attack
>> methodology
> I think you have it wrong.
>
> Public exposure increases the visibility, and therefore customers
> install the patches quicker.
>
> Without public visibility, they will keep running the old code.
>

Whilst I understand the whole "stick it to the vendor argument", and now 
SCADA systems seem to be fair game to security researchers wanting to 
make a name for themselves in this high profile field.

A lot of people are failing to see the vendors customer side of things.  
Industrial Control Systems (ICS), SCADA users, historically have their 
focus on availability (you don`t want you 
electricity/water/petrocehmicals being cut now do you) and safety (no 
one want to die making sure you get your 
electricity/water/petrochemicals), and security was never an issue 
because the SCADA systems were air gapped and the security needs were 
different that IT security.  With Business pressures this air gap has 
gone away, but the original requirements of availability and safety 
still hold.  And whilst you can all say that scada systems are "broken" 
you are failing to understand what they are designed for and what the 
vendors and customers priorities are.

ICS/SCADA engineers also tend to be a wary and cautious lot particularly 
with changes to their systems, the last thing they need is a patch that 
breaks their functionality, and so even with patches a lot of testing 
takes place.

A SCADA system isn't something that you can simply run the equivalent of 
Windows Update, reboot the machine and all will be well.  Because the 
safety and availability requirements, upgrades can take a lot of 
planning and a lot of time to impliments.  I've heard of upgrades taking 
anything from a couple of hours to a couple of years!

Because no one wants their electricity cut off just to install the next 
round of patches.

Now obviously none of this is ideal, but with the issues of patch 
management within an ICS, full disclosure can cause a lot of problems 
that whilst the vendor could respond to quickly will cause a lot of 
grief for the end user, through no fault of their own, or the vendor.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ