Bugtraq mailing list archives

Re: Vulnerabilities in some SCADA server softwares

From: "J. Oquendo" <sil () infiltrated net>
Date: Wed, 23 Mar 2011 16:10:43 -0400

On 3/23/2011 11:27 AM, Kent Borg wrote:

Would I install a stack of SCADA upgrades to *my* functioning
factory?  Maybe not.

Scary, scary stuff.

Security needs to be designed in, implemented carefully each step
along the way, and reviewed.  Instead people with "security" in their
job title so often seem to think security is firewalls, buying
anti-virus support contracts, and requiring use of MS Outlook and
Internet Explorer.


-kb, the Kent who will shut up now.


This is a big fact that many are overlooking. Regardless if the vendor
is a complete and utter moron, patches don't come easy for these
systems. Secondly, many of these systems are very old and are being
"propped' up by new software. There is no running out to deploy PLCs
that can fail because of a glitch.

Security wasn't a factor in the 50s, 60s, 70s and so on as it has become
now. No one foresaw that by even sending one too many ICMPs at a modbus
would crash it. THIS is the reality of SCADA systems. It has nothing to
do with "hiding the bugs hoping they will go away." It isn't about:
"they attacked Linux, then Windows, now SCADA" boo-hooisms. Completely
separate playing field.

Sure these need to be designed properly however the reality is, many of
these systems are old. Many of these systems control the quality of the
water we drink, the pollution leaving a plant, the power being
generated. This isn't: "release it... make em fix it fast... that'll
teach them." I wonder how the author would feel if say a water treatment
plant in his area was affected causing all the water around him to be toxic.

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

42B0 5A53 6505 6638 44BB  3943 2BF7 D83F 210A 95AF
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF

Current thread:

Re: Vulnerabilities in some SCADA server softwares, (continued)
- - - Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
    - Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
    - Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
    - Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
    - Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
    - Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
    - Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
    - Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
    - Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
  - Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 23)
    - Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)
  - Re: Vulnerabilities in some SCADA server softwares Pavel Kankovsky (Mar 24)