Last week, Dale had difficult conversations regarding cyber security with two vendors. Apparently, that was the week for vendor interactions, as I had one too. My interaction was with a control system component vendor, attempting to explain the premise of my upcoming S4 presentation.
I’ve have been downloading as much automation software as I can over the past few weeks, and running Microsoft’s Attack Surface Analyzer against all of them looking for common vulnerabilities and insecure changes. I plan to present the findings at S4, along with some directions for improvement. Please note, this is much different than attempting to find exploits in the software, my work is to see how the software itself can change the underlying OS to make it less secure. I’ve done ~16 pieces of software thus far, and I’m hoping to include a few more as well.
The control system vendor I ran into made a zip file containing the software available on their website, but required an email to get the password to the zip file. Thinking this was just a formality, I sent in an email explaining the premise of my study. To my surprise, the president of the company responded that they “do not see any value in such a study”, and that their software “is as secure, or as insecure, as others that support OPC Data Access V2.0”.