SCADA Vulnerabilities

Today is the day that Tofino Security is announcing that I have joined their team.  I am very excited about this, particularly because I believe that industrial cyber security is the next major impactful technology to hit the automation industries.

I am also excited to be joining Eric and Joann Byres and their group; people I have high regard for, as I believe Tofino Security technology is poised to lead the way in protecting the critical infrastructure industries.

Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?

As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).

One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.