Recent Reports of SCADA's Demise have been Greatly Exaggerated

David Heath
Tuesday, 17 June 2008 04:09

Your IT - Home IT

Just a note at this point, I actually work for Citect as a training developer – however, I have no connection with software development, management or sales.

Much of this boils down to two issues.  Firstly whether it is a “real” vulnerability and secondly, what an appropriate response should be.

Considering a ‘normal’ installation of CitectSCADA, this is probably not a real vulnerability.  As mentioned on the previous page, the only way a site could be exposed to the problem is to have their SCADA system connected directly to the Internet without any form of protection. 

I recall reading a long time ago about one of the Australian PC magazines building a ‘bare’ Windows XP machine and exposing it to the internet.  Over a number of trials, if I recall correctly, the shortest length of time a PC survived until infected by some kind of malware was 6 seconds!  The longest maybe 30 minutes.

With this in mind, I can’t see that an ODBC vulnerability is particularly significant!

So, given this, what should the response be? 

Citect’s role is to examine the vulnerability report and determine the real impact upon their customers.  Having done that, they should then determine whether an urgent patch is required or whether the issue can be dealt with in the normal product development cycle.

Citect initially chose the latter course of action, but also developed a patch to be made available to sites should they insist on applying it.

Given the provenance of the problem, this seemed to be entirely reasonable.  However once various members of the ‘chattering press’ took hold of it, nothing short of a 2-year back-dated patch would have pleased them!

Nothing is simple any more!