OK, faced with the Siemens vulnerability, which could have been anybody else's vulnerability just as easily, what should we do?
I've been accused of being an apologist for vendors, but that's not what I am. As long as end-users are accepting (and many cases, specifying) software that runs on Microsoft Windows and Windows Server versions, these vulnerabilities will show up. I am a realist who's had a career in product marketing, sales, and new product development, and I know from the inside what it is like.
Yes, the vendors offer their software on Windows, but they would change if the end-users told them to. If a bunch of end-users said they'd no longer accept Windows operating systems but wanted Linux instead, AND THEY WROTE THEIR PURCHASING SPECIFICATIONS THAT WAY, you'd be amazed at how fast software would be ported to the Linux platform of choice.
Should Siemens and the other vendors do more? Well, sure. But how much testing, in increased time to market and product cost and sales price increases are the end-users willing to accept, or will they push for faster delivery, faster upgrades, faster, faster, faster-- as BP appears to have done with the crew of the Deepwater Horizon. This doesn't excuse the vendors. This is, however, a legitimate question. Are you willing to wait 5 years between major upgrades? Are you willing to pay 2x the current prices to pay for the additional security testing? 3x? 4x, 5x or more?
But just as BP has stepped up to pay for cleaning up their mess, Siemens has stepped up and is working feverishly on a way to close this hole. So is Microsoft.
Much has been made of the hard-coded passwords in the WinCC product-- well, this isn't something that only Siemens does. This is something that is often done, so that in an emergency, supervisors and even telecommuting instrument engineers and techs can get into a machine quickly. Are there other ways to do this? Probably. But until the production of cheap biometric locks in the past couple of years, it was hard to do.
Much more should be made about the fact that the Realtek certificate was forged. If we cannot trust institutions that were specifically set up to foster trust, we're really in trouble.
The bottom line is that ANY software has vulnerabilities. It is between the vendor and the end-user what vulnerability level they are willing to mutually accept. End-users can always try to get laws passed to force vendors to be even more responsible than they are now. But those same end-users shouldn't come crying when the law of unintended consequences reduces their choices and raises their costs.
Furthermore, vendor companies ARE responsible. They have the hideous example of Citect, which thought it was trying to comply-- hounded out of business. Citect still exists, sort of, buried within the Schneider organization.
Before you blame Siemens, or Microsoft, for this situation, just remember how much responsibility we all bear.
