Security Watch

Bringing Down the Grid

You can talk about SCADA. You can talk about vulnerabilities. But be careful about conflating the two.

If you're a security writer looking to make a fool of yourself, just write a story combining Supervisory Control and Data Acquisition (SCADA) with vulnerability. You'll prove to be about as good at IT security reporting as Martha Stewart might be at covering NASCAR.

Sure, there's a company that makes software for SCADA, and yes, it turns out it doesn't do an adequate job of parsing packets that systems might receive on a TCP port used for connecting to SQL servers. It's also true that some SCADA systems are integrated with networks that have Internet access, and some Internet-accessible networks have bots or criminals on them.

That doesn't mean that criminals are going to bring down national power grids or muck about with sewage systems.

Vulnerability research is typically published to garner public attention -- specifically, to try and get people who might not otherwise realize they've got insecure software to get updated. Unfortunately, this falls way short of that mark.

Do you really think an electric power company is going to rely on information from some lesser-known research organization over whatever it might get directly from its vendors? Might the electric power company modify its network because of some vulnerability scenario that's implausible? I doubt it.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

Featured

  • Microsoft Adding Google G Suite Migration in Exchange Admin Center

    Microsoft's Exchange Admin Center will be getting the ability to move Google G Suite calendar, contacts and e-mail data over to the Office 365 service "in the coming weeks."

  • Qualcomm Back in Datacenter Fray with AI Chip

    The chip maker joins a crowded field of vendors that are designing silicon for processing AI inference workloads in the datacenter.

  • Microsoft To Ship Surface Hub 2S Conference Device in June

    Microsoft on Wednesday announced a June U.S. ship date for one of its Surface Hub 2S conferencing room products, plus a couple of other product milestones.

  • Kaspersky Lab Nabs Another Windows Zero-Day

    Kaspersky Lab this week described more about a zero-day Windows vulnerability (CVE-2019-0859) that its researchers recently discovered, and how PowerShell was used by the exploit.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.