dragons

I have been conducting industrial control system (ICS) protocol vulnerability research lately with good success. The details of much of this research will become public domain via responsible channels in the near future. Several repeating attitudes have emerged in discussions with stakeholders with which I disagree.

To vendors that would claim I am creating a problem for personal gain:

  • There is already a problem, you just don’t realize it exists. There is also already a market for security products in this space and the more progressive and aware vendors go to great length to use them.  It is unfair for you to sell your untested and vulnerable products to unaware end users.  I intend to create product differentiation in this space to raise the bar of excellence with respect to SCADA software and specifically remotely-exploitable protocol software.

To my security-aware collaborators:

  • I have business aspirations. I have already communicated this to you, but I want all the stakeholders to be aware of this fact so nobody will paint this research as solely altruistic or academic. It is not. Business is most productive and fun when financial interests line up with industry/customer needs and personal academic interests. It’s no secret to my friends and colleagues that I feel strongly about business models that provide little benefit to anyone else. Patent trolls in the software industry, I’m talking to you.

To anyone that thinks that security is not yet an issue in this space:

  • ICS security should not be reactive. Let’s not wait for a major incident to send us all scrambling.  I know this is a debate, but please acknowledge that those calling for action are not a small minority trying to stir the pot for personal benefit. There are plenty of expert end users at utilities that feel the same way. Take kindly the counsel of history and realize that this industry is far behind others with regard to security awareness. Your private networks matter not. The fact that we have not had a major incident yet matters not.

To anyone that thinks that software security testing is some kind of black art:

Very few people know what software security really is, even if they are so-called “security experts.”  Like the maps in ancient history used to warn, the dangerous area just outside the map is sometimes best left alone. The uncharted territory just read, “Here be dragons,” meaning that you should not venture there. It is too scary or too challenging.  Fortunately for software security, the age of darkness is over because the first explorers risked their souls and delved into the mystic lands of hacking, trying to explain security to ordinary software developers. First, they were feared for their new skills, and later they were blamed for many of the dangerous findings they encountered.  Even today they are thought to possess some secret arts that make them special. But what they found was not that complex after all.

Takanen, Demott, and Miller - Fuzzing for Software Security Testing and Quality Assurance, page 3.