Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues, and he’s written a little piece for ZDnet recently. http://www.zdnet.com/blog/security/metasploit-and-scada-exploits-dawn-of-a-new-era/7672
As I see it, the two statements in the article that contain “ethical researcher” and “will simply expose the vulnerability to the world” present an oxymoron. Ethical researchers do not behave in an unethical manner, no matter how frustrated they are with “vendor inaction”. They are simply behaving like attention starved prima-donnas.
In his post, he suggests that;
- The SCADA community can expect to see an explosion of relevant vulnerabilities and exploits in the near future.
- SCADA organizations must vigilantly monitor vulnerability info sources and security researchers.
- Stuxnet has cast a light on SCADA security issues. Put bluntly, there is blood in the water.
- Security researchers are frustrated by software vendors’ inaction.
- Attack frameworks like Metasploit enable a new level of integration of targeted exploits into a powerful tool.
I agree with all of these points, and cannot fault the basic recommendations. Monitor intell sources, keep up to date, vendor creation of security POC and processes, however these do little to address the underlying issues and remain reactive. There needs to be a standard process that mediates the vulnerability advisory process. Acting outside of the process should have repercussions for a company or researcher’s standing and reputation in the community. Vendor activity must become more transparent, and have set planning and delivery deadlines. Breaching an agreement with the governing body should have clear reputational outcomes, and intitate “controlled disclosure”. Minimal, discrete information regarding the _PRESENCE_ of the vulnerability and its impact should be released, no proof, no code, no hints…
When it comes to SCADA networks, this information would allow the SCADA organizations to apply additional pressure to the vendors to get a fix out without compounding the problem.
“…Metasploit is akin to a.50 caliber sniper rifle, and a zero-day SCADA vulnerability is equivalent to a .50 caliber depleted uranium round for that rifle.” So, stop allowing and supporting those that hand out rifles and ammunition to children! MetaSploit should always have been difficult to obtain, and made “tracable” when used. If someone uses it, it should present information about itself, such as _real_ IP address, system name, etc. You can’t seem to control the flow of guns, so time to serialize your ammunition.
Just another free opinion, collect all 10!