On 23/03/2011 6:13 PM, Theo de Raadt wrote:
If *any* threat exists, that threat is increased by public exposure of unmitigated attack methodologyI think you have it wrong. Public exposure increases the visibility, and therefore customers install the patches quicker. Without public visibility, they will keep running the old code.
Whilst I understand the whole "stick it to the vendor argument", and now SCADA systems seem to be fair game to security researchers wanting to make a name for themselves in this high profile field.
A lot of people are failing to see the vendors customer side of things. Industrial Control Systems (ICS), SCADA users, historically have their focus on availability (you don`t want you electricity/water/petrocehmicals being cut now do you) and safety (no one want to die making sure you get your electricity/water/petrochemicals), and security was never an issue because the SCADA systems were air gapped and the security needs were different that IT security. With Business pressures this air gap has gone away, but the original requirements of availability and safety still hold. And whilst you can all say that scada systems are "broken" you are failing to understand what they are designed for and what the vendors and customers priorities are.
ICS/SCADA engineers also tend to be a wary and cautious lot particularly with changes to their systems, the last thing they need is a patch that breaks their functionality, and so even with patches a lot of testing takes place.
A SCADA system isn't something that you can simply run the equivalent of Windows Update, reboot the machine and all will be well. Because the safety and availability requirements, upgrades can take a lot of planning and a lot of time to impliments. I've heard of upgrades taking anything from a couple of hours to a couple of years!
Because no one wants their electricity cut off just to install the next round of patches.
Now obviously none of this is ideal, but with the issues of patch management within an ICS, full disclosure can cause a lot of problems that whilst the vendor could respond to quickly will cause a lot of grief for the end user, through no fault of their own, or the vendor.