Comment from Ron Southworth
Time: January 24, 2010, 7:46 pm

Hi Dale,

A counter point. I have been – till now – very quietly disappointed in one player in the security provision industry. A company very well know.

One supplier I know of in the last 12 months has made contact with this security company in order to attempt to comply with a specification that was put forward to them in order to win a fully compliant supply contract, simplisticly the requirement intent was to improve the “hardening” of their RTU devices.

Both organisations are well known enterprises in North America.

I won’t divulge any further details on the issue however, the vendor company being actually interested in improving their products conducted some initial dialogue and in order for the vendor to sign up with the security company it was going to take a commitment in the order of multiple millions of dollars.

How does this help the industry in promoting security when this sort of behaviour occurs, despite some conjecture, the margin’s on these products are not that great in the grand scheme of things. These are not high volume products sold by the tens or hundreds of thousands as is the case with consumer products (IT products lumped into this catagory BTW)

When you conisder the amount of R&D that goes into a RTU product there is not that high a return actually. Most wise people would gain a better return by simply leaving their money in the bank.

This is why most vendors when faced with being outed talk about control measures. The problems uncovered are most likely not going to be short term easy things to fix, most RTU security related problems are in the same order of magnitude and there are a lot of mitigation techniques that end users should have in place that would significantly reduce the risks. We all know there are problems with this sort of stuff so how do we move forward when these early steps forward get in teh way of real progress.