Are ICS vendors really to blame for insecure systems?

April 23, 2012
The  linked-in site, Cyber Security Forum Initiative, has the following thread: “Unfixed SCADA security holes are growing.
The  linked-in site, Cyber Security Forum Initiative, has the following thread: “Unfixed SCADA security holes are growing. Should Vendors be made accountable for hacks to their unpatched SW?”. The implication is that vendors aren’t interested in securing their legacy products. I cannot speak for all ICS vendors, but I do know that many ICS vendors supporting the electric industry are frustrated. This is because many utilities are concerned with NERC CIP compliance to the exclusion of actually securing their legacy control systems. This is because the utilities may not be required to actually secure these systems to be NERC CIP compliant (isn’t that crazy?).  A domestic utility has been willing to act as a test bed for actually SECURING LEGACY ICSs for RELIABILITY considerations. Many ICS vendors I have contacted will be working with the utility to determine how to secure these legacy systems. The lessons-learned from the utility and the ICS vendors will be presented at the 12th ICS Cyber Security Conference the week of October 22nd.

The other concerns with the thread are responses to Aurora and the Idaho National Laboratory (INL) test that are wrong. The Aurora misconceptions and the lessons-learned from a hardware-implementation program will be presented by the utility and sponsoring government organization at the 12th ICS Conference. As Aurora can affect almost all substations, this presentation should be of value to all US utilities since the results of this hardware mitigation plan can reasonably be expected of all US utilities.

Joe Weiss