Security Watch
Bringing Down the Grid
You can talk about SCADA. You can talk about vulnerabilities. But be careful about conflating the two.
If you're a security writer looking to make a fool of yourself, just write a story combining Supervisory Control and Data Acquisition (SCADA) with vulnerability. You'll prove to be about as good at IT security reporting as Martha Stewart might be at covering NASCAR.
Sure, there's a company that makes software for SCADA, and yes, it turns out it doesn't do an adequate job of parsing packets that systems might receive on a TCP port used for connecting to SQL servers. It's also true that some SCADA systems are integrated with networks that have Internet access, and some Internet-accessible networks have bots or criminals on them.
That doesn't mean that criminals are going to bring down national power grids or muck about with sewage systems.
Vulnerability research is typically published to garner public attention -- specifically, to try and get people who might not otherwise realize they've got insecure software to get updated. Unfortunately, this falls way short of that mark.
Do you really think an electric power company is going to rely on information from some lesser-known research organization over whatever it might get directly from its vendors? Might the electric power company modify its network because of some vulnerability scenario that's implausible? I doubt it.
About the Author
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.