We haven’t written about security since last August, although we have continued to add links to relevant blogs and assorted articles as we became aware of them as a part of that blog – Abominable Security Commitment.
That blog was inspired by a tweet from one of the leading exponents of security, the Stuxnet Terminator, Eric Byres.
His latest outpouring, if that’s not to strong a word is headed “Time for a revolution” He was heading home from Digital Bond’s S4 SCADA Security Symposium in Florida (USA) and mulling over what he had heard and learned at the event.
“After listening to two days of excellent, but scary talks, the first thing that comes to mind is “SCADA/ICS security is in worse shape than I thought”. Much worse shape…”
The real scary thing is the impregnations of industrial control systems which attracted so much publicity in the last two years – specifically I suppose with the Stuxnet malware – is barely a measurable bleep on the graph of such since the turn of the century. He quotes Seán McBride, a co-founder of Critical Intelligence. This company provides cyber situational awareness and threat intelligence services for industrial control system users and vendors. He said alarmingly, “The public disclosures barely scratch the surface of the vulnerabilities that actually exist”.
Of course that would be serous enough but the situation is far more serious than even that! As Byres reports “Now maybe the news wouldn’t be so bad if the ICS vendors were like the IT vendors and fixed these bugs, but it appears that many are not. Less than half of the 364 public vulnerabilities have patches available. Some ICS companies simply don’t appear to care.”
Public trust in many previously thought impregnable institutions and technologies has deteriorated, church, state, financial institutions all have been revealed to have feet of clay mainly because care was not taken. It looks like the professions of IC and IT are similarly infected!
• Security Seer Byres foretells the future! Will it be secure or will we know? Will automation & IT professionals be vigilant? Will further infestations be found? Read his SCADA Security 2012 Crystal Ball.
• ICS Perspectives (Industrial Defender) has just published a blog with more information on the conference: – Living in a Post-Basecamp world: 3 Takeaways from Project Basecamp (Jacob Kitchel 27/1/2012)