[SCADASEC] Fwd: [Full-disclosure] CORE-2008-0129 -WonderwareSuiteLink Denial of Service vulnerability

Mon May 12 10:19:28 CDT 2008

Jake,

No offence taken!  Your comments are of course totally valid, and highlight
that the security issue is just one aspect/symptom of a larger problem.  The
requirement to deliver projects to tight budgets and timescales inevitably
leads to quality issues.  Those quality issues may manifest themselves
during the project, but equally well they have a nasty habit of manifesting
themsleves after the project has been completed and the project team
disbanded (contractors released, vendors paid, internal staff move on,
etc.).  And some of these quality issues surround the
maintainability/supportability/vulnerability/updateability?/securability??
of the system.  All the sorts of things that no-one is given the time to
really think about and address during the project.

I like the idea of your process control group.  I have suggested a very
similar group for several of my clients, to bring together a team who
together have an in-depth understanding of the entirety of the control
systems landscape that the organisation relies on, and can take (security)
actions and decisions with that holistic view.  The actions and decisions I
am talking about range from setting (security) policies relevant to control
systems, undertaking risk assessments, design reviews, defining (security)
roles and responsibilities on project teams, and so on.  To me the formation
of such a group is a fundamental step, but some clients choose not to take
it.  One of the reasons for this has been that security often isn't
something that attracts budget, so there's no funding for this kind of
thing.  This has led me to remove the word "security" from the description
of this team (that's why it's in parenthesis in the preceding text) and
focus the argument for the formation of such a team on the need for "good
governance" of control systems.  That way it's couched in language which is
better understood at corporate level, is associated to corporate risk
management, and covers more than just security risk.  This has resulted in
more interest in the idea from some clients.

I'd be interested in your comments on this approach based on your
experiences in setting up your group, and also any comments from other list
members on this topic.  Feel free to contact me off-list if preferred.

Thanks,

Marc Tritschler
KEMA Limited

2008/5/9 Brodsky, Jake <jBrodsk at wsscwater.com>:

> My point is that the people on this list are a minority.  As a user,
> we're going to test the new Suitelink service in our lab very soon.  If
> all goes well, we will probably begin deployment next month.
>
> I meant no offense against the many consultants on this list.  However,
> we need to acknowledge that many consultants are not security or IT
> oriented.
>
> In the projects that I've seen among many water utilities, controls are
> often considered to be an afterthought by the project managers.  They
> slap them together with very little attention to how well they work.
> This is because the fundamentals of the control system are often far
> outside their experience.  But by the time they're working on this
> stage, everyone is trying like hell to get the project over and done
> with.  They've been working on it for years, sinking millions in to the
> project, they want to start up, prove the stuff works and then get
> payment for substantial completion.
>
> It's difficult to discuss the nuances of a control system design with a
> project manager who is under all sorts of clouds of potential law suits
> for any delays.  They want the damned job over with.  From their
> perspective, it's millions of dollars waiting on the performance of a
> sub or even a sub-sub contractor.
>
> So we get these systems installed in a white heat, with all sorts of
> corners cut, very little validation, and then along comes the guy with
> the security hat and all they can think to do is to throw him out the
> door.  They really do not want to hear about it.
>
> That's one major reason why our company gathered about a dozen staff
> with backgrounds as engineers, construction inspectors, electricians,
> instrumentation specialists, telecommunications, and IT, and made a
> process control group.  We have to be there to clean up the mess and
> enhance the process so that the control system will continue to serve us
> well in to the future.
>
> Our staff cares about security because we know it will be our asses in
> the field if this stuff gets hacked.  But we're an oddity in this
> business.  Most control system integration is done by a sub-contractor
> who normally doesn't find out much of the control system until the
> design has already been perpetrated.
>
> Customers like that aren't likely to know what they have or how it
> works.  The integrators may not know much, nor would they know who to
> contact in many cases, as they were only sub-sub contractors.
>
> This is not a healthy situation.  Users don't know what the hell is
> going on, and the contractors/integrators/consultants are often not on
> speaking terms until they get paid, and then along comes a security flaw
> like this.
>
> I challenge anyone to try pushing a security update in an environment
> like that.
>
> Jake Brodsky
>
>
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Marc
> Tritschler
> Sent: Wednesday, May 07, 2008 4:09 AM
> To: scadasec at news.infracritical.com
> Subject: Re: [SCADASEC] Fwd: [Full-disclosure] CORE-2008-0129
> -WonderwareSuiteLink Denial of Service vulnerability
> Importance: Low
>
> So I agree with Jake that many people won't even know that they use
> Suitelink, but I don't agree that consultants won't know to look for it
> -
> this one did!
>
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>