SCADA Problems Too Big To Call 'Bugs,' Says DHS

chicksdaddy writes "With the one year anniversary of Stuxnet upon us, a senior cybersecurity official at the Department of Homeland Security says the agency is reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software used to control the U.S.'s critical infrastructure. DHS says it is rethinking the conditions under which it will use security advisories from ICS-CERT to warn the public about security issues in ICS products. The changes could recast certain kinds of vulnerabilities as 'design issues' rather than a security holes. No surprise: independent ICS experts like Ralph Langner worry that DHS is ducking responsibility for forcing changes that will secure the software used to run the nation's critical infrastructure. 'This radically cuts the amount of vulnerabilities in the ICS space by roughly 90%, since the vast majority of security "issues" we have are not bugs, but design flaws,' Langner writes on his blog. 'So today everybody has gotten much more secure because so many vulnerabilities just disappeared.'"

Re:Call them whatever you want

[Anonymous Coward]

"Bugs," "security vulnerabilities," "design flaws"

it matters to beaurocrats, unfortunately.

the categorization of these flaws, and whether they are a "bug" or not, can determine by law or policy who is on the hook for the $$$ required to fix the flaw.

I don't care about SCADA. Vulnerabilities, I do.

[AtariDatacenter]

SCADA? I don't care about. Not directly. But the problem is that once the government says, "These aren't vulnerabilities or security holes. These are design issues." The problem is that you've set the example, and other software vendors are going to follow.

Example: "The denial of service attack against your application is not a security vulnerability, it is just a design issue that everything locks up for a while if it gets an incoming packet, and tries to resolve the IP address against its authoritative DNS server while that is DNS server is offline. We only do security fixes on old products / old releases. Sorry."

"Design issue, not a security vulnerability" is not a distinction you want easily drawn. Others will follow a government example if it is an easy out.

Re:Some background - 747s and online SCADA systems

[Runaway1956]

And, that is the only sensible approach to take. If the world weren't filled with cheap bastards posing as CEO's and economics experts, there would be a human hand at all critical controls, nationwide. The only networking necessary would be the sound powered phone on the operator's head.

Re:Correct me if I'm wrong...

[AK Marc]

If you design a car with a gas tank that dislodges from the filler neck in a crash, spilling fuel in the case of a moderate crash, turning a survivable minor injury crash into a life-threatening incident, then you designed it wrong. If you purposefully design it to keep the filler neck attached for all crashes, but a part sourced for it did not meet specifications, resulting in inadvertent detachment, then you have a "bug" that was most certainly not a design flaw, but a build (coding) flaw.

One is a purposeful choice to make an inferior product to save time/money. The other is a properly designed product with an unintentional flaw. Sadly, deliberate negligence is tolerated (and seemingly encouraged), while unintended flaws are punished more harshly. But that's government security for you. Appearance is much more important than effect.