I was approached by an IT penetration tester early this year wanting to test ICS equipment. This seemed like an ideal test to see if ICS equipment would be too arcane for the IT community to understand. It took less than a day for the IT tester to find many vulnerabilities, some extremely critical, including allowing control of the VxWorks device. This would normally have been bad enough.
However, an unintended glitch arose. The unintended consequence of the need to protect intellectual property (computer code) can prevent review of code for security reasons. Review of code also extends to penetration testing. This unforeseen problem can preclude even the asset owners from having vulnerabilities in their own equipment disclosed which is what happened in this case.
One needs to consider the case of what happens when you download software. There is generally an agreement that needs to be signed before you can download the software. It may include a statement prohibiting third parties from reviewing the software. This needs to be modified for security purposes.
There will be discussions on these issues at the September ACS Conference.
Joe Weiss
