We have tried to find ways to give loyal blog readers a view into how Application Assessments are done and how bad the situation is with many control system applications.
Recently Daniel spent a couple of days black box testing a widely used control system application for an in-house project, and as we were writing up the vulnerability notes we discussed the process and the common findings. After some thought and review, we decided we could sanitize the information and provide information on the type of testing he typically performs on a few of the application interfaces and the common security problems identified in this very short testing.
This blog is an intro to a multi-part blog series that Daniel will run the next two weeks. This is not theoretical or worst case. This is from a real control system application and typical. One thing that was very clear was the “design decisions” did not consider or discounted the fact the application would be attacked.
Terminology Note: Digital Bond differentiates between a Security Assessment of a SCADA or DCS and an Application Assessment in two ways. One, our Security Assessments are typically performed for owner/operators, and Application Assessments are performed for vendors. And two, our Security Assessment is evaluating the SCADA or DCS against good practice and looking for know vulnerabilities. Our Application Assessment is looking for new, as yet undiscovered vulnerabilities. In the best case our, or someone else’s, Application Assessment service would be worked into a vendor’s security development lifecycle.