Re: Vulnerabilities in some SCADA server softwares

[Michal Zalewski <lcamtuf () coredump cx>]

> A lot of people are failing to see the vendors customer side of things.
>  Industrial Control Systems (ICS), SCADA users, historically have their
> focus on availability (you don`t want you electricity/water/petrocehmicals
> being cut now do you) and safety (no one want to die making sure you get
> your electricity/water/petrochemicals), and security was never an issue
> because the SCADA systems were air gapped and the security needs were
> different that IT security.

Exactly the same arguments could have been brought up 15 years ago
against the then-disruptive and novel disclosure of vulnerabilities in
Unix systems or in Windows ("you can't just expect to shut down a bank
and roll out potentially disruptive security updates every week!"
coupled with "vendors certainly know what's best for us"). Back then,
commodity OSes have been designed insecurely because of similar
business considerations, and not because of malice.

The roots of BUGTRAQ are with the movement to end bug secrecy of that
era. It caused some pain, and also caused some significant long-term
improvements by convincing the public and the vendors that security is
something you simply can't afford not to care about.

Views on the cost / benefit balance of this process are varied, of
course, but knowing what I learned thanks to this process, I sure
wouldn't want to be using any of the operating systems available back
then.

/mz