The period of tedium in risk intelligence ended last week. An already busy week was capped when Digital Bond announced serious, but non-specific vulnerabilities in six control systems. This happened at their S4 conference under the auspices of creating a “Firesheep moment.” We could interpret that to mean some sort of wake up call to the industry, but happily (for them) it also self-serves to drive business for Digital Bond and attendance at future conferences. In conjunction with Rapid7, PLC exploit modules are being released increasing risk in the short-term for any organizations running those systems. Since these are control systems, this action impacts not just hardware, but potentially the day-to-day lives of people. Persons exhibiting a blunted affect cannot appreciate that they are affecting risk much more significantly than the incrementing vulnerability aspect of risk – unskilled and apathetic attackers will probably add these exploits to their existing attack portfolios, at much lower cost to them. Evidence of long-term benefits of actions like these is specious, given the supply of bugs seems to significantly exceed demand. Ultimately, an artificial increase in risk highlights the inherent conflicts of interest (the only clear winner here is Digital Bond). There are much better, scalable ways to get a point across – and truly reduce risk to control systems - than by jeopardizing infrastructure.

Tags: INTSUM

This entry was posted on Friday, January 20th, 2012 at 10:14 pm and is filed under Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.