Friday News and Notes
- A survey in Control magazine shows that 44% say a Safety Instrumented System (SIS) should not be connected to a process control system, while 56% say it’s safe to do so. Of course you can guess my opinion on this, but either way you look at it about 50% are wrong.
- The industrial firewall space is getting crowded. The latest entry is a firewall designed and manufactured in Germany and available from the Austrailan company Paqworks, the AdsTec Industrial Ethernet Firewall. (hat tip: Stephan Beirer from GAI NetConsult).
- In my Secure DNP3 podcast with Grant Gilchrist, I lamented the fact that requiring often unnecessary TLS encryption for DNP3 over TCP/IP increases the attack surface. Microsoft’s patch Tuesday provided a vivid example were a Schannel vulnerability could allow a heap memory corruption via the SSL/TLS handshake. The result is either remote control of the system or a reboot. If history is a guide, many vendors will either implement their own TLS code or use some inexpensive or free code that may lack appropriate QA. Even worse they may deploy a web server just to get the TLS service. Keep your attack surface to a minimum.
- On a related note, Matasano had an interesting blog entry this week on the dangers of embedded third party applications or libraries. Key takeaway from it is “Enterprise. Identify what third party components (and their version numbers) exist inside of the applications you purchase. This will let you track which libraries and open source/third party projects that are actively deployed in your enterprise.” Third party components have been the cause of some of the SCADA vulnerabilities published by US-CERT.
Author: Dale Peterson
Posted: June 15th, 2007 under Uncategorized.
Comments: none
Write a comment