Tuesday, July 08, 2008

SCADA Watch: A Legacy of Insecurity & the Control System Lifecycle

Kevin Lackey writes on Digital Bond:

The classic definition of the cornerstones of information security are:

  • Confidentiality, meaning that the data that you send or receive can not be read by others.
  • Integrity, the data is valid, has not been tampered with and originates from the authenticate source.
  • Availability, the data is available when it is needed.

When we apply these criteria to control system environments we see that only one of these elements, availability, is present. Control systems were designed with availability as the overriding criteria to such an extent, because of the nature of the environments in which they existed in the past, they seemingly ignore the other two criteria.

The majority of control systems do a very poor job with data confidentiality and integrity. This is especially true when these criteria are applied to the huge legacy system install base.

More here.

1 Comments:

At Wed Jul 09, 02:37:00 PM PDT, Blogger Nathan Boeger said...

Very true. Worse yet, this focus is deeply embedded in the organizational culture in many manufacturing environments. Single shared passwords that are never changed are often the norm.

 

Post a Comment

<< Home