The major control system suppliers are claiming they provide tested secure DCS and SCADA systems.
To my knowledge, at least four major control system suppliers, in this case 3 DCS and one SCADA, are providing less security than advertized.
In one DCS case, the vendor told me how secure their system was and specifically identified one showcase utility. Unfortunately for them, I knew the utility and the utility engineer. The engineer was so disappointed in the vendor not listening to his needs he made a presentation on security deficiencies the vendor would not address.
In the second case from a different DCS vendor, the vendor recently performed factory acceptance testing without security being addressed even though I was told by the supplier that security testing is standard procedure.
In the third case from another DCS vendor, the DCS is currently being procured and staged. The vendor claims they automatically secure their systems. However, when the utility engineer questioned the vendor, the vendor stated they would need additional funding for security and even asked the utility to delay the implementation to address security.
In the SCADA case, the vendor was using the full suite of Microsoft web services without recognizing the security implications.
What is really going on with our vendors?
Joe Weiss