SCADA, there is a term that tends to scare the crap out of little children and small furry animals these days thanks to the FUD factories. The disconnect is often painful to read about. I have read that SCADA systems are easily hacked into and the perception that one gets from reading these stories is that all hell has broken loose and that Nero is halfway through his solo. Rather frustrating to a flaw. We hear talking heads say that the “cyberterrorists” are gunning for critical infrastructure. When they attack it will be catastrophic.
Well, piss on that.
Why? Simple. That’s the least of the problems that face critical infrastructure. We hear news reports about how insecure control systems are and how SCADA is so “hackable” but, has anyone stopped to wonder why that might be? The press has set upon critical infrastructure of late for the low hanging fruit. “If it bleeds, it leads”. Well, that much is true. The sector is bleeding but, not for the lack of a responsible crew manning the battlements. No, much more dire than that. Critical infrastructure has been taken hostage by its vendors. Often a patch set will come out for Windows, Linux et cetera and being diligent folks they try to roll out the security patches only to be thwarted by the vendors.
Why?
Because the vendors have not “certified” the patches with regards to their software. A process that can often take an exceptional amount of time. The end result being that without that nebulous “certification” they will refuse to support their customers if they forge ahead with the application of said security patches.
A sad state of affairs.
Critical Infrastructure needs to get the attention it requires. The highest levels of government need to start paying close attention to these vendors that, through negligence, indifference or apathy, are jeopardizing the security of their national infrastructures. They need to have their feet held to the fire.