Typing scada as the search key in a Google news search http://news.google.com reveals that as a whole the industry (vendors, asset owners, and security players) still needs to raise the bar on security awareness and must change its mindset in a couple of key areas.

While I don’t want to become a purveyor of FUD, when vendors promote press releases publicizing how they have just sold umpteen millions of dollars of product X to asset owner Z (such as this one found by a google news search), while being good publicity, in some ways gives away the keys to the kingdom. Any attacker interested in targeting asset owner Z now knows what flavor of control system he needs to research, replicate and exploit.

In another vein of thought, the Wonderware DoS attack alert made Google News and it has some interesting implications. In the past the hardest step for a control system attack against an installation with decent security (e.g. good defense in depth with proper; network segmentations, well configured firewalls, access control etc) was to move from either the corporate or DMZ segments and into the control system LAN(s).

The exchange between the exploit team at Core Technologies and Wonderware (seen here in the timeline ) indicates that the com channel exploited in this vulnerability is generally allowed through the firewall. This becomes particularly interesting when you do a search on the terms “web enabled” or “web server” and SCADA and start counting how many vendors are now extolling their new “world wide web” ready and “web enabled” products.

These products push ease of use as their main feature and include verbiage like “… with SMS reporting and remote control to provide real-time access anytime, anywhere through a standard Web browser.” and “… [productx] modules were designed from the ground up using OPC and ActiveX technology making them fully Web-enabled! With these [productx] Web Solutions, you can view your HMI/SCADA application across your local intranet or the World Wide Web through your Internet Explorer browser. ” in their sales literature.

Though I haven’t done a lot of in depth research into the specifics of these products the very idea of increasing the number of exceptions for firewall rules worries me, especially browser based connectivity as the number of client side browser exploits seems to continuously grow. Control system components allowing connections to thin webservers from anywhere on the outside to inside the control LAN through firewall exceptions, frankly gives me the willies. But not quite as bad as the idea of every HMI operator having a browser on his console that allows him not only to use his browser to control the process as the HMI is web based, but to surf to basically anywhere on the “wild woolly web”.