- Home
Security by obscurity, vendor disclosure, NERC requirements, etc – what a mess
Several months ago I was approached by an IT device tester interested in penetration testing control system devices. I arranged a joint program with a utility and the device tester to test several typical substation devices. The devices the utility sent to the vendor ostensibly were from vendors that had secure devices – there were no vulnerability disclosures. The quid pro quo was the utility would get the results of the testing which could help to educate their personnel about control system vulnerabilities while the device tester would have a marketing opportunity.