New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier

From the article: SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier." What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret, at least in part due to pressure from the Department of Homeland Security .

If it did cause an accident...

[AmiMoJo]

Seems like Israel and the US are playing a dangerous game here. Say that Stuxnet caused an accident that released radioactive material into the environment...

DHS probably wants the security holes

[Anonymous Coward]

Actually it's probably the CIA, NSA and other TLA's that truly want the security holes. They're just using the DHS as the mouthpiece to convince the companies to keep quiet and not plug the holes. After all, without those holes, Stuxnet (and likely other woms/viruses/trojans) wouldn't be as effective as they apparently have been.

Re:Duh?

[nedlohs]

or fix it, that works really well too.

Re:Duh?

[markus_baertschi]

That is exactly what will not happen.

The ones who should tell their Customers about the problem is Siemens. But they will play the problem down because it might affect the sales of the next batch of stuff.

The evil hacker will just buy a bunch of systems, analyze it and find the vulnerabilities. This completely independent of the disclosure. Stuxnet was developed before this disclosure and I think the vulnerabilities used by Stuxnet are still there.

This is why security by obscurity does not work in the real world.

Re:Call me naive or something, but...

[jimicus]

I'm not sure it would have done much good. The general consensus of opinion is that this was a case of a determined attacker with a lot of resources, not some nutter on the Internet with a copy of the latest Virus Generator Toolkit (TM).

How much weight we should give that opinion is something I'm not going to discuss.

In any case, you think a determined attacker is going to be put off by a small thing like that? Hell, if it boils down to it you either organise double agents to apply for jobs at the target site or you target someone who already works there with a brown envelope full of unmarked, non-sequential notes. The latter is high risk, but find the right person, someone who's in debt up to their eyeballs and has been keeping it from their family for some time perhaps, and away you go.

Re:DHS probably wants the security holes

[fuzzyfuzzyfungus]

I'm not so sure: Obviously, assorted sinister TLAs are happy to exploit available holes; but all but the really stupid ones have to realize that they don't exactly live in a unipolar world when it comes to writing viruses, and that the US(and its assorted western buddies) have a lot to lose in an atmosphere of general SCADA-smashing.

If all SCADA systems become deeply vulnerable, who loses more? Industrial or post-industrial societies with high levels of complexity that could be on the edge of collapse with a few days of supply chain disruption, or the dusty low-GDP countries of the world where disenfranchised hackers, cheap laptops(and/or exploits provided by friendly powers using them as proxies) are still easily available?