Joe Weiss posted an
extremely thought-provoking blog entry this morning on
Unfettered. He questions the hacker/cracker cultural meme of disclosing cybersecurity vulnerabilities for the sheer pleasure of doing it. I think Joe's on to something here.
We have a serious problem in cybersecurity in control systems...we don't have enough "cybersecurity experts" who know anything about process control or factory automation. We have a bunch of
soi-disant experts who descended on control systems (remember, they're the guys who thought every control system was "SCADA"?) because they saw a big market, and have been spreading FUD ever since.
Recently, a Wonderware vulnerability has been disclosed, and the disclosure is making the rounds. Several months ago, an ICONICS vulnerability was disclosed, causing ICONICS significant distress. Why? Well in both cases, the vulnerability was, although accurately described, not dangerous.
In the Wonderware case, the vulnerability only applies to a very few customers who are still using a very old, outdated version of Wonderware's software that is so old that it will become "unsupported" at the end of the year. In the ICONICS case, the vulnerability, that generated a huge cyber alert both in Australia and the US, was only on the web demo on the ICONICS website.
It would be a good thing if we all started thinking about these issues, and doing our best to discuss these types of vulnerabilities publicly with a clear eye to also disclosing the potential impact.
Otherwise, we are reduced to a pack of former 13-year-olds giggling about scrawling metaphorical cyber graffiti, for the pleasure of the game.
If we want to be taken seriously by policymakers, rulemakers, and politicians, we need to do better than that.