On 3/23/2011 11:27 AM, Kent Borg wrote: > Would I install a stack of SCADA upgrades to *my* functioning > factory? Maybe not. > > Scary, scary stuff. > > Security needs to be designed in, implemented carefully each step > along the way, and reviewed. Instead people with "security" in their > job title so often seem to think security is firewalls, buying > anti-virus support contracts, and requiring use of MS Outlook and > Internet Explorer. > > > -kb, the Kent who will shut up now. > This is a big fact that many are overlooking. Regardless if the vendor is a complete and utter moron, patches don't come easy for these systems. Secondly, many of these systems are very old and are being "propped' up by new software. There is no running out to deploy PLCs that can fail because of a glitch. Security wasn't a factor in the 50s, 60s, 70s and so on as it has become now. No one foresaw that by even sending one too many ICMPs at a modbus would crash it. THIS is the reality of SCADA systems. It has nothing to do with "hiding the bugs hoping they will go away." It isn't about: "they attacked Linux, then Windows, now SCADA" boo-hooisms. Completely separate playing field. Sure these need to be designed properly however the reality is, many of these systems are old. Many of these systems control the quality of the water we drink, the pollution leaving a plant, the power being generated. This isn't: "release it... make em fix it fast... that'll teach them." I wonder how the author would feel if say a water treatment plant in his area was affected causing all the water around him to be toxic. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP "It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently." - Warren Buffett 42B0 5A53 6505 6638 44BB 3943 2BF7 D83F 210A 95AF http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x2BF7D83F210A95AF
