Experts: Pressure SCADA developers on security as you would software vendors

The stakes are higher with the security of factories, power plants and other industrial systems, so the issue must be raised: What should the rules of disclosure for SCADA vulnerabilities be?

. What's this?

By George V. Hulme

May 26, 2011CSO

The discovery of a number of what have been described as serious vulnerabilities within industrial control systems built by manufacturing giant Siemens AG -- and the subsequent nixing of a presentation about those very vulnerabilities -- has raised questions about how the nature of vulnerability disclosure should -- or shouldn't -- change when it comes to the security flaws in industrial systems.

As covered earlier this week in our story "A botched fix, not legal demands, nixed SCADA security talk," NSS Labs researchers pulled a presentation after a fix Siemens offered failed to mitigate attack. A day after that story, Dillon Beresford, the NSS Labs researcher who discovered and reported the flaws took aim at Siemens on the SCADASec mailing list for downplaying the seriousness of the vulnerabilities. According to the report "Siemens says it will fix SCADA bugs," the company is downplaying the SCADA flaws. "While NSS Labs has demonstrated a high level of professional integrity by providing Siemens access to its data, these vulnerabilities were discovered while working under special laboratory conditions with unlimited access to protocols and controllers," Siemens said.

Beresford countered: "The flaws are not difficult for a typical hacker to exploit. Also there were no special laboratory conditions with unlimited access to the protocols. My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory. I purchased the controllers with money my company so graciously provided me with."

In a prior interview with NSS Labs Chief Technology Officer Vikram Phatak, he told CSOonline that the cost of the equipment was roughly $2,500. That's certainly a lower bar to uncover SCADA-related flaws than has been generally discussed.

Also see: "Industry association aims to bolster SCADA security"

With that in mind -- and the stakes higher with the security of factories, power plants, and other industrial systems in question -- the issue must be raised: What should the rules of disclosure for SCADA vulnerabilities be?

The surprising -- to some -- answer by experts is not much different at all -- with some caveats. "When it comes to medium risk and lower vulnerabilities, I don't think the disclosure rules should be different with SCADA systems than traditional software," says Phatak. "The researcher should contact the vendors and give them a reasonable period of time to remedy their flaw. With more serious flaws, perhaps the vendor needs more time. But it's crucial to keep the heat on the vendors to fix these issues."

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER