[UPDATE]: Welcome Heise.de folks. Please be sure to read the article.
On Sunday Saturday I managed to take in the SCADA presentation. It was an hour of my life that I would most assuredly like to have back. Ganesh Devarajan from Tipping Point gave a talk on the subject. Within the first five minutes it became readily apparent that he has never actually worked on a SCADA system. He went on to describe the basics of the various protocols that are used with SCADA systems such as DNP3 and ICCP but, he then showed his blind side to the audience.
“SCADA systems are extremely vulnerable to attack” he said. OK, but, you have to get to them first. He left the audience with the distinct impression that any script kiddie with 5 minutes to spare could take out the water treatment or traffic lights. This is a rather significant overstatement. But, I guess he wanted his five minutes in the press. Sadly the AP fell into this trap:
Terrorists and other criminals could exploit a newly discovered software flaw to hijack massive computer systems used to control critical infrastructure like oil refineries, power plants and factories, a researcher said Saturday.
Ganesh Devarajan, a security researcher with 3Com Corp.’s TippingPoint in Austin, Texas, demonstrated the software vulnerability he uncovered to attendees at the Defcon hacker conference on computer security.
Um, no he didn’t. He didn’t bring fire to the village. He just outlined some common problems that exist in any network.
At no point did he show a smoking gun. Sure there are vulnerabilities in these systems (as with any) but, Ganesh did not show anyone anything new nor did he arrive with research. Myrcurial on the other hand got the crowd going when he mentioned that he had a couple of SCADA vulns in the can. And he does. But, no they are not going to be released to the public. We have decided that we are going to work on a SCADA presentation for next year with some meat on its bones. As an aside I recommend folks interested in this subject check out SCADA Security.org
The only thing that Ganesh managed to accomplish is to get folks talking about SCADA security in the mainstream press. Bless him for that.
[tags]SCADA at Defcon, Defcon SCADA, SCADA Security, Defcon[/tags]