On Friday 15 August 2003 22:29, Chris Kuethe wrote:
On Fri, 15 Aug 2003, Harmon Seaver wrote:
Somehow I have difficulty believing the these people could be so totally lame as to be running mission-critical stuff like this on windoze. Please say it isn't true.
it's scary just how much mission-critical stuff runs on windows. i'll confess right now to being a unix zealot, so the thought of anything mission critical (beyond hotmail and freecell) on windows is scary.
It's not just the reliance on Windows that's scary. It's the mindset of the industrial controls industry, where the concept of security is percieved as a hassle for the end customer, and therefore something to be avoided. 10 years ago, I was developing a data collection and reporting program for the aircraft industry. The project suffered from creeping featurism, and one of the desired features was adding dialup data exchange, so the collection apps could send their data to a central location via modem. When I asked how much security was wanted on the dialup port, I was told that none was necessary because no one would ever attack the system, and anyway, the data were not interesting to outside parties. 10 years ago, perhaps that was an understandable position, though certainly naive. (I still put in a minimal challenge/response layer, if only to discourage the C-64 kids with wardiallers) A few weeks ago, I sat in on a meeting to talk over design of a TCP/IP Ethernet interface for an existing control system. When I asked what security provisions were envisioned for this interface, I was told that the system was not intended for deployment on publicly routed network segments, so there was no need for any security protocol.
i know of some fairly large installations running control systems for power generation on windows. these same sites then give the vendors access to the system via vpn across the internet. sure there are firewalls, but i don't have faith in the long-term maintenance of the vendor sites.
I've just returned from an extensive training seminar on OPC controls technology. The acronym stands for "OLE for Process Control", and it's a Microsoft-centric technology built on top of DCOM. Agt the lower end, OPC would let you control a PLC from Excel. Given the compressed schedule of the course (normally three weeks, it was compressed to two for our class) and my previous experiences, I didn't try to discuss security at all. But I noticed no authentication layer at all. Apparently, the security Microsoft natively provides for controlling DCOM traffic is all that such an application has available. And as far as I can tell, that would be none. I suppose I do get a bit of entertainment from the looks on the engineers' faces when I bring up threat models and attack scenarios. Most of them are indifferent. Some are confused. Some are annoyed. And one or two have understood the threat, but told me that I shouldn't talk to corporate about such things because it would make the sales force nervous. The reactions of sales droids (and even management) has been either dismissive (there is no threat) or hostile (I'm the threat). The most entertaining episode was back when UPS was first deploying their DIAD electronic clipboard, and I asked what steps were being taken to protect the signature data in transit. (There was no protection at all; the signature data were retained in the clear and could be dumped by any device that knew the protocol. I believe this is still the case.) That eventually produced a regional manager who visited the small company where I was employed. He was visibly irritated that anyone would even ask about such things, and answered every threat scenario I presented with "That would never happen!" He stalked off in a huff after I asked him how he would feel if his digitized signature, obtained legitimately when he received a package, were to appear at the bottom of an incriminating document faxed to his general manager. Ironically, several of my jobs have included IT duties along with my usual engineering tasks. Those same sales droids and engineers that scoffed at the need for security in their industrial controls applications came running to me frantically when their workstations became infected with SirCam or Klez. Security, as Schneier says, is a process. It's also a mindset, and I think one either has the mindset or he doesn't. And for those that don't have it, it is *very* difficult to impart.