Of the security of control systems products.
"Kevin's Theorem" being: all control systems products from a security perspective are crap and when examined will reveal easily exploitable security flaws.
Wednesday, March 23, 2011
Tuesday, March 22, 2011
Sad State of Affairs
It has been 3 months since my last post..... guess I am doing a poor job in blogging, but constant security work and a slow changing landscape do little to inspire ;)
Yesterday Italian security researcher Luigi Auriemma released 34 vulnerabilities with working exploits across 4 different ICS platforms.
In an interview with Dale at Digital Bond, Luigi Noted that it took him on average 2 days to reverse engineer the product and develop a working exploit. 2 days for 1 man without SCADA experience...... not that SCADA experience is necessary for finding these types of vulnerabilities and Luigi is one of the IT worlds best.
Now imagine what teams funded with decent dollars armed with the actual products can accomplish. The fruit in our realm is plentiful and very low hanging.
I would propose that any serious researcher looking at any product line in the industry can find an exploitable vulnerability within a week. The state of our industry is this...... SAD.
I said it in my September 30th rant and I will say it again, there is no security in ICS/DCS/SCADA product lines and they are all full of very easily found and exploited vulnerabilities, and this will not change until the asset owners force the vendors to change their ways.
Yesterday Italian security researcher Luigi Auriemma released 34 vulnerabilities with working exploits across 4 different ICS platforms.
In an interview with Dale at Digital Bond, Luigi Noted that it took him on average 2 days to reverse engineer the product and develop a working exploit. 2 days for 1 man without SCADA experience...... not that SCADA experience is necessary for finding these types of vulnerabilities and Luigi is one of the IT worlds best.
Now imagine what teams funded with decent dollars armed with the actual products can accomplish. The fruit in our realm is plentiful and very low hanging.
I would propose that any serious researcher looking at any product line in the industry can find an exploitable vulnerability within a week. The state of our industry is this...... SAD.
I said it in my September 30th rant and I will say it again, there is no security in ICS/DCS/SCADA product lines and they are all full of very easily found and exploited vulnerabilities, and this will not change until the asset owners force the vendors to change their ways.
Subscribe to:
Posts (Atom)