After Stuxnet, a rush to find bugs in industrial systems

[InfoSec News <alerts () infosecnews org>]

http://features.techworld.com/security/3311064/after-stuxnet-a-rush-to-find-bugs-in-industrial-systems/

By Robert McMillan
Techworld.com
16 October 2011

Kevin Finisterre isn't the type of person you expect to see in a nuclear 
power plant. With a beach ball-sized Afro, aviator sunglasses and a 
self-described "swagger," he looks more like Clarence Williams from the 
'70s TV show "The Mod Squad" than an electrical engineer.

But people like Finisterre, who don't fit the traditional mold of 
buttoned-down engineer, are playing an increasingly important role in 
the effort to lock down the machines that run the world's major 
industrial systems. Finisterre is a white-hat hacker. He prods and 
probes computer systems, not to break into them, but to uncover 
important vulnerabilities. He then sells his expertise to companies that 
want to improve their security.

Two years ago, Finisterre, founder of security testing company Digital 
Munition, found himself swapping emails with a staffer at Idaho National 
Laboratory's Control Systems Security Program, a project funded by the 
US Department of Homeland Security that is the first line of defense 
against a cyberattack on the nation's critical infrastructure.


Hackers are not hireable by a national laboratory

Finisterre caught the attention of INL in 2008, when he released attack 
code that exploited a bug in the CitectSCADA software used to run 
industrial control environments. He'd heard about the INL program, which 
helps prepare vendors and plant operators for attacks on their systems, 
and he thought he'd drop them a line to find out how good they really 
were.

He was not impressed.

[...]


_____________________________________________________
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn