On 5/3/20 3:14 PM, Eric Rescorla wrote:
I don't have much experience with SCADA TLS stacks, so I can't speak to this, but I wasn't thinking primarily of the TLS stack itself but just of the overall software on the device. In general, most software has some defects and some of them will be security relevant; If you are unable to upgrade the software on your devices, then if such vulnerabilities are discovered you are obviously in a bad position.
It can be expensive to upgrade devices in some industrial applications. As mentioned earlier, upgrades may not even be available. Upgrades are sometimes also seen as disruptive to production, and therefore extremely risky, because they may introduce new bugs or change APIs. The risk of loss of production for any significant period of time can seem far greater than the risk of a security breach, though of course both risks are real. Upgrades over the net are generally not feasible (and this is seen as a Good Thing), because the production network is generally disconnected from any external network most if not all of the time. If there is a supported means to upgrade the firmware in the field, it may require physical access to the hardware. (Of course there are still security threats: from insiders who have access to the network and/or the hardware, from the occasional laptop that migrates between the production network and other networks, from media that migrates, etc.) The hardware may well be replaced before its firmware is upgraded -- but new hardware may still run old firmware.
So a vendor of hardware that's intended for such environments may not be able to rely on firmware upgrades to fix bugs. For the smart ones (they're not all smart, of course) this translates into a greater emphasis on minimizing complexity, product stability, and getting things right the first time.
Keith _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
