Earlier this week I wrote about a serious issue in the patching of SCADA and ICS systems. Just when you think you are installing all needed patches, some critical ones are getting missed.

Unfortunately, I think even the phrase “installing all needed patches” is too optimistic. In my surveys of SCADA and ICS facilities, I find that even when operating system patches are getting installed, application patches are not. For example, many HMIs are running copies of Abode PDF Reader that haven’t been patched in years. Considering that Adobe has released over 30 critical security patches for Reader in the past three years, this is a gaping security hole.

Clearly security vulnerabilities aren’t just an operating system problem. And they are not just a business application problem. We saw the number of publicly disclosed security vulnerabilities for SCADA and ICS products jump dramatically in 2011. For 2012, all indications are that the situation will be worse. Many of these vulnerabilities are not on Windows computers, but rather critical hardware such as PLCs, DCS controllers, RTUs, switches, routers and even firewalls! Read more »