Are ICS Vendors Really to Blame for Insecure Systems?

Friday, April 27, 2012

Joe Weiss


The  linked-in site Cyber Security Forum Initiative has the following thread: “Unfixed SCADA security holes are growing. Should Vendors be made accountable for hacks to their unpatched SW?”.

The implication is that vendors aren’t interested in securing their legacy products. I cannot speak for all ICS vendors, but I do know that many ICS vendors supporting the electric industry are frustrated.

This is because many utilities are concerned with NERC CIP compliance to the exclusion of actually securing their legacy control systems. This is because the utilities may not be required to actually secure these systems to be NERC CIP compliant (isn’t that crazy?). 

A domestic utility has been willing to act as a test bed for actually SECURING LEGACY ICSs for RELIABILITY considerations. Many ICS vendors I have contacted will be working with the utility to determine how to secure these legacy systems.

The lessons-learned from the utility and the ICS vendors will be presented at the 12th ICS Cyber Security Conference the week of October 22nd.

The other concerns with the thread are responses to Aurora and the Idaho National Laboratory (INL) test that are wrong.

The Aurora misconceptions and the lessons-learned from a hardware-implementation program will be presented by the utility and sponsoring government organization at the 12th ICS Conference.

As Aurora can affect almost all substations, this presentation should be of value to all US utilities since the results of this hardware mitigation plan can reasonably be expected of all US utilities.

Cross-posted from's Unfettered Blog - copyright 2012 and ff by Putman Media Inc. All rights reserved.

Possibly Related Articles:
Industrial Control Systems
SCADA Utilities Cyber Security Infrastructure NERC CIP Legacy Systems ICS vendors Industrial Control Systems IS Controls
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.