The Marketing Department Fixed Those SCADA Vulnerabilities

Wednesday, May 25, 2011

J. Oquendo


From 2009 through now, Toyota issued recalls on a lot of vehicles for various reasons [1]. Most may remember the largest vehicle recall to date with Toyota recalling millions of vehicles due to a braking issue with the cars.

The recall cost upwards of $2 billion [2] but we can infer that they responded quickly and handled the incident responsibly. Most products that are defective usually have guidelines [3] for the vendors to do what is right but what about software?

Most reading this will be in some shape form or fashion involved with security, after all, it is a security based website. To you the reader, where have we gone wrong where we have learned to "settle" for whatever vendors choose to give us?

After watching the on-going Siemens fiasco [4], I have to wonder at what point, will a government agency start issuing sanctions on companies that fail to meet their obligations.

"Obligation: 2. a. A social, legal, or moral requirement, such as a duty, contract, or promise that compels one to follow or avoid a particular course of action." [5] Certainly it is the government who holds enough "weight" to hold companies accountable however, the government seems to be oblivious to security on this level.

Now Siemens is no stranger to security holes, remember it was Stuxnet that targeted and exploited Siemens' software two years ago. Even now - two years after Stuxnet - many in the SCADA arena are fully aware that Siemens has still dropped the ball on fixing all of the issues associated with Stuxnet.

Imagine that, two years ago, security professionals via way of discovering Stuxnet concluded that Siemens' software had gaping holes. Two years forward, they still have not fixed those initial holes.

Now, we are hearing and reading about Dillon Beresford's exploits against Siemens and we are seeing Siemens trying to market this away casually: "Nothing to see here move along." What is wrong with this picture? Should we wait until there is a nuclear fallout?

As a independent hobbyist security researcher myself, I commend Dillon for doing what he believed was right. I too have had public discussions raising concerns against releasing certain types of vulnerabilities [7] as it is a dual edged sword.

The reality is, if Dillon found it, so too will someone else regardless if Dillon publicly speaks about his findings. This in of itself (discovery of vulnerabilities) should be of a high concern to Siemens and other vendors: "Do you truly believe someone else won't find it?"

What will it take before application vendors take security serious? $171 Million [8], $5 billion [9] in losses? How much are consumers willing to tolerate from vendors who sell shoddy software?

As a consumer, many would return a pair of shoes that didn't fit yet with software, no one is complaining loud enough. This allows vendors seem to take the money and run [10]. There is no oversight and DHS' response is puzzling [11].

While understandable they would contact someone for what they perceive to be a "high value exploit," what is their public response to Siemens? Where are governments amidst all this security chaos?

DHS, Siemens and other similar organizations are naive to think that attackers aren't actively exploiting their software. Regardless if a researcher decided to not publicly speak about an exploit, there is an assumption that it isn't already exploited.

How wrong they are. I know myself as a researcher, I have some interesting "tools" up my sleeve which I have discovered and there are millions of others just like me. In fact, some of the better "exploit systems" such as Canvas [12] have some non-public exploits as well.

Anyhow, kudos to Dillon for sticking to his guns amidst scrutiny from both sides of the fence (security professionals and vendors).

However, the reality is, Siemens' response to this debacle just made "full disclosure" a lot more sensible to others who will use this as an example to raise a fist in defiance and unleash more exploits leaving vendors to do what they should have been doing from the beginning, make better more secure software.

While many may choose to condemn the researchers, I see very little condemning the vendors who are putting lives at risk with their marketing team security fixes.



Possibly Related Articles:
Information Security
SCADA Vulnerabilities Stuxnet Infrastructure DHS Siemens Dillon Beresford
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.