[ISN] Experts: Pressure SCADA developers on security as you would software vendors

From: InfoSec News <alerts_at_private>
Date: Fri, 27 May 2011 02:03:56 -0500 (CDT)

By George V. Hulme
May 26, 2011 

The discovery of a number of what have been described as serious 
vulnerabilities within industrial control systems built by manufacturing 
giant Siemens AG -- and the subsequent nixing of a presentation about 
those very vulnerabilities -- has raised questions about how the nature 
of vulnerability disclosure should -- or shouldn't -- change when it 
comes to the security flaws in industrial systems.

As covered earlier this week in our story "A botched fix, not legal 
demands, nixed SCADA security talk," NSS Labs researchers pulled a 
presentation after a fix Siemens offered failed to mitigate attack. A 
day after that story, Dillon Beresford, the NSS Labs researcher who 
discovered and reported the flaws took aim at Siemens on the SCADASec 
mailing list for downplaying the seriousness of the vulnerabilities. 
According to the report "Siemens says it will fix SCADA bugs," the 
company is downplaying the SCADA flaws. "While NSS Labs has demonstrated 
a high level of professional integrity by providing Siemens access to 
its data, these vulnerabilities were discovered while working under 
special laboratory conditions with unlimited access to protocols and 
controllers," Siemens said.

Beresford countered: "The flaws are not difficult for a typical hacker 
to exploit. Also there were no special laboratory conditions with 
unlimited access to the protocols. My personal apartment on the wrong 
side of town where I can hear gunshots at night hardly defines a special 
laboratory. I purchased the controllers with money my company so 
graciously provided me with."

In a prior interview with NSS Labs Chief Technology Officer Vikram 
Phatak, he told CSOonline that the cost of the equipment was roughly 
$2,500. That's certainly a lower bar to uncover SCADA-related flaws than 
has been generally discussed.


Tegatai Managed Colocation: Four Provider Blended
Tier-1 Bandwidth, Fortinet Universal Threat Management,
Natural Disaster Avoidance, Always-On Power Delivery 
Network, Cisco Switches, SAS 70 Type II Datacenter. 
Find peace of mind, Defend your Critical Infrastructure.
Received on Fri May 27 2011 - 00:03:56 PDT

This archive was generated by hypermail 2.2.0 : Fri May 27 2011 - 00:12:44 PDT