Inside CERT Australia

mask.of.sanity writes "The Australian Government has a list of software holes that are so sensitive they're kept hidden from the public. These weaknesses are being used by criminals to steal our money and our data. They may even be a cornerstone to planned attacks on critical infrastructure, like energy, water and transport. But in the murky battle between those that protect us and those who seek to harm, these vulnerabilities are also the bait with which cyber-criminals are caught."

Reality Check

[AB3A]

I integrate, deploy, and maintain a SCADA system for a large water and waste-water utility.

Here are some facts on the ground:

1. Yes, the software is out of date, and it is poorly reviewed. The reason is that the market is small, the deployment costs are huge, and it is difficult to differentiate the bad from the worse. The effort required to swap out SCADA or control system software make similar office operations look trivial.

2. Yes, the flaws are hard to fix. We design these things for safety, and reliability, first. We have an ethical duty to turn the CIA model upside down to become the AIC model. Security is often an afterthought. In any case, most of you probably do not realize that security for an industrial process is very different from security for an office. In an office, if the computer stops, the whole office process stops and that's it. Nothing more happens. In an industrial process, the physics and chemistry of the process will continue to do something whether your control system is online or not. In other words, unlike in an office, the control system for an industrial process augments the process, it does not run it. Thus, if you crash the office computers, everything stops. If you crash a control system, the process keeps doing something, even if it is something that nobody would ever want .

3. Industrial processes can't "just shut down" on a whim. To patch a control system you need to get to a place where the process can be safely shut down, and the new process can be safely validated to prove that it does everything that is expected of it. Getting this much time and attention from people takes significant down time. With the lean operations that most places run, that kind of downtime may not be available for an entire SEASON.

4. Because of this, revealing software flaws is often a dangerous proposition. By the time we can safely patch something in an industrial control system, there may be tool kits for script kiddies.

5. Due to safety concerns, almost nobody will seriously consider an effort to spray patches to the field. Again, this is not the office. The penalty for getting things wrong could be deadly. Automated patching without careful testing on each stage of the process can be a firing offense in some companies.

I believe that the theory that the Australian CERT is using is that by keeping some flaws quiet, they reduce the chance that others may develop script kiddie development kits. I honestly do not know whether this can work, but I give them credit for trying. It will be interesting to see what metrics they use to prove this effort is effective.

Finally, please stop with the "industrial software is crap" nonsense. We engineers know that all too well; but there are no better alternatives. Would you like to see us go back to the days when everything was run with pneumatic controls or analog computers? I'll bet you wouldn't appreciate the prices you'd pay. If you like electricity and running water, find ways to write better software.