Security Watch

Bringing Down the Grid

You can talk about SCADA. You can talk about vulnerabilities. But be careful about conflating the two.

If you're a security writer looking to make a fool of yourself, just write a story combining Supervisory Control and Data Acquisition (SCADA) with vulnerability. You'll prove to be about as good at IT security reporting as Martha Stewart might be at covering NASCAR.

Sure, there's a company that makes software for SCADA, and yes, it turns out it doesn't do an adequate job of parsing packets that systems might receive on a TCP port used for connecting to SQL servers. It's also true that some SCADA systems are integrated with networks that have Internet access, and some Internet-accessible networks have bots or criminals on them.

That doesn't mean that criminals are going to bring down national power grids or muck about with sewage systems.

Vulnerability research is typically published to garner public attention -- specifically, to try and get people who might not otherwise realize they've got insecure software to get updated. Unfortunately, this falls way short of that mark.

Do you really think an electric power company is going to rely on information from some lesser-known research organization over whatever it might get directly from its vendors? Might the electric power company modify its network because of some vulnerability scenario that's implausible? I doubt it.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

Featured

  • How To Fix the Hyper-V Read Only Disk Problem

    DOS might seem like a relic now, but sometimes it's the only way to fix a problem that Windows seems ill-equipped to deal with -- like this one.

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

comments powered by Disqus