Bugtraq mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 24 Mar 2011 11:12:07 -0700
A lot of people are failing to see the vendors customer side of things. Industrial Control Systems (ICS), SCADA users, historically have their focus on availability (you don`t want you electricity/water/petrocehmicals being cut now do you) and safety (no one want to die making sure you get your electricity/water/petrochemicals), and security was never an issue because the SCADA systems were air gapped and the security needs were different that IT security.
Exactly the same arguments could have been brought up 15 years ago against the then-disruptive and novel disclosure of vulnerabilities in Unix systems or in Windows ("you can't just expect to shut down a bank and roll out potentially disruptive security updates every week!" coupled with "vendors certainly know what's best for us"). Back then, commodity OSes have been designed insecurely because of similar business considerations, and not because of malice. The roots of BUGTRAQ are with the movement to end bug secrecy of that era. It caused some pain, and also caused some significant long-term improvements by convincing the public and the vendors that security is something you simply can't afford not to care about. Views on the cost / benefit balance of this process are varied, of course, but knowing what I learned thanks to this process, I sure wouldn't want to be using any of the operating systems available back then. /mz
Current thread:
- Re: Vulnerabilities in some SCADA server softwares, (continued)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 23)
- Message not available
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
- Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)