Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Friday, June 16, 2006

SCADA industry debates flaw disclosure

The outing of a simple crash bug has caused public soul-searching in an industry that has historically been closed-mouthed about its vulnerabilities.  The flaw, in a particular vendor’s implementation of the Inter-Control Center Communications Protocol (ICCP), could have allowed an attacker the ability to crash a server.  Yet, unlike corporate servers that handle groupware applications or Web sites, the vulnerable server software—from process-control application maker LiveData—monitors and controls real-time devices in electric power utilities and healthcare settings.  The best known types of devices are supervisory control and data acquisition (SCADA) devices and distributed control system (DCS) devices.  A crash becomes a more serious event in those applications, said Dale Peterson, CEO of Digital Bond, the infrastructure security firm that found the flaw.

“These are what you would consider, in the IT world, critical enterprise applications,” Peterson said.

LiveData maintains that the flaw is a software bug, not a security vulnerability, pointing out that it only affects how the LiveData ICCP Server handles a non-secure implementation of the communications protocol—typically used only in environments not connected to a public network.

“In general SCADA networks are run as very private networks,” said Jeff Robbins, CEO of LiveData.

The incident has touched off a heated debate among a small collection of vulnerability researchers, critical infrastructure security experts and the typically staid real-time process control systems industry.  The controversy mirrors the long-standing dispute between independent researchers and software vendors over disclosing vulnerabilities in enterprise and consumer applications.

Last week at the Process Control System Forum (PCSF), a conference on infrastructure management systems funded by the U.S. Department of Homeland Security, a similar debate played itself out.  Perhaps three dozen industry representatives and security researchers met during a breakout session to hash out the issues involving disclosure.  The tone became, at times, contentious, said Matt Franz, the moderator at conference panel on the topic and a SCADA security researcher with Digital Bond.  “‘It puts people and infrastructure in danger,’ they said.”

Moreover, many vendors did not appreciate the involvement of the U.S. Computer Emergency Readiness Team (US-CERT), the nation’s response group tasked with managing the process of vulnerability remediation for critical infrastructure, Franz said.

The debate over how disclosure should be handled underscores both the intense focus on SCADA and DCS systems as potential targets of cyberattacks and the position of many companies in the real-time process control systems industry that vulnerabilities in such systems require special treatment.

For between 5 and 10 percent of the networks audited by PlantData, a single ping attack or a data flood aimed at a SCADA system could shut down most of the managed devices, Pollet said.

http://www.securityfocus.com/news/11396

Posted on 06/16
NewsPermalink