« NRC v FERC oversight - between a rock and a hard place
This week in Infosec - 2008-09-22 »

Denial gets you nothing but Owned

From the Register:
Citect yanks ‘misleading’ SCADA bug advisory

Citect, a designer of software used by manufacturing plants and other industrial facilities, has removed an advisory that played down a vulnerability in one of its popular pieces of software.

Citect’s move followed last week’s release of proof-of-concept code that exploited a vulnerability in CitectSCADA, which is used to manage industrial control mechanisms known as SCADA (Supervisory Control And Data Acquisition) systems. The bug meant systems that relied on the software could potentially be exposed to tampering by disgruntled employees or terrorists.

Traditional IT software vendors have been learning this lesson for a long time.

Apple and Microsoft are still slow to the table.

But it looks like the tide is rising.

Vendors of SCADA system software are starting to feel the heat.

Many of these companies are used to writing systems that will be in place for decades. And from what I’ve read over the past few months, most of these companies use security modeling from decades ago.

I’m an advocate of two things:
1) A central set of cyber security requirements for all power related critical infrastructure.
2) US Government putting it’s money where it’s mouth should be.

The goal of the above two goals is to push security requirements into the front end of the procurement process. This pushes security needs back onto the vendors who are in the best place to ensure secure products.

Ask me about the secure composition problem later. For now, I’d settle for just one secure product…

PS - this article reminds me of the Helm’s Deep battle scene from The Two Towers, for those of you into LOTR (start at 8:40). You can say you are secure, but what say you when your defenses are obliterated?

Bill

This entry was posted on Sunday, September 21st, 2008 at 10:19 pm and is filed under Control Systems, Soapbox. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Denial gets you nothing but Owned”

  1. Jim Says:
    September 22nd, 2008 at 6:01 am

    Sorry, but I think this is non-news dragged up by that ‘reputable’ source of info, The Register.

    Sure, Citect got criticized in the first instance for a slow response to the original vulnerability (which they did fix) but it seems to me that a company replacing an article with a better, more useful article given further information is a positive thing, and that this is simply about posturing and self-promotion by one of the security companies (they know who they are!).

    From what I can tell Citect are actually stepping up their security game and this is simply one example of it.

Leave a Reply