[SCADASEC] Fwd: [Full-disclosure] CORE-2008-0129 -WonderwareSuiteLink Denial of Service vulnerability

Brodsky, Jake jBrodsk at wsscwater.com
Fri May 9 08:32:36 CDT 2008 

My point is that the people on this list are a minority.  As a user,
we're going to test the new Suitelink service in our lab very soon.  If
all goes well, we will probably begin deployment next month.  

I meant no offense against the many consultants on this list.  However,
we need to acknowledge that many consultants are not security or IT
oriented.  

In the projects that I've seen among many water utilities, controls are
often considered to be an afterthought by the project managers.  They
slap them together with very little attention to how well they work.
This is because the fundamentals of the control system are often far
outside their experience.  But by the time they're working on this
stage, everyone is trying like hell to get the project over and done
with.  They've been working on it for years, sinking millions in to the
project, they want to start up, prove the stuff works and then get
payment for substantial completion.  

It's difficult to discuss the nuances of a control system design with a
project manager who is under all sorts of clouds of potential law suits
for any delays.  They want the damned job over with.  From their
perspective, it's millions of dollars waiting on the performance of a
sub or even a sub-sub contractor.  

So we get these systems installed in a white heat, with all sorts of
corners cut, very little validation, and then along comes the guy with
the security hat and all they can think to do is to throw him out the
door.  They really do not want to hear about it.  

That's one major reason why our company gathered about a dozen staff
with backgrounds as engineers, construction inspectors, electricians,
instrumentation specialists, telecommunications, and IT, and made a
process control group.  We have to be there to clean up the mess and
enhance the process so that the control system will continue to serve us
well in to the future.  

Our staff cares about security because we know it will be our asses in
the field if this stuff gets hacked.  But we're an oddity in this
business.  Most control system integration is done by a sub-contractor
who normally doesn't find out much of the control system until the
design has already been perpetrated.  

Customers like that aren't likely to know what they have or how it
works.  The integrators may not know much, nor would they know who to
contact in many cases, as they were only sub-sub contractors.  

This is not a healthy situation.  Users don't know what the hell is
going on, and the contractors/integrators/consultants are often not on
speaking terms until they get paid, and then along comes a security flaw
like this.  

I challenge anyone to try pushing a security update in an environment
like that.  

Jake Brodsky


-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Marc
Tritschler
Sent: Wednesday, May 07, 2008 4:09 AM
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] Fwd: [Full-disclosure] CORE-2008-0129
-WonderwareSuiteLink Denial of Service vulnerability
Importance: Low

So I agree with Jake that many people won't even know that they use
Suitelink, but I don't agree that consultants won't know to look for it
-
this one did!

More information about the scadasec mailing list