I found a recent post "Fix the Problem, Stop Bailing out Vendors" on the Digital Bond blog quite compelling.
Author Dale Peterson begins thusly:
We, the SCADA Security community, need to put all our efforts and emphasis in the PLC, RTU, controller space on getting vendors to add basic security features to their models available for sale today. Beginning with authenticating the source and data sent and received from the PLC and continuing with other Security 101 features. We should not say or pretend that any other solution besides this is acceptable.
... and what follows is some interesting back and forth between Peterson and SCADAhacker Joel Langill, as well as a number of pretty well informed commenters, on how to best approach these challenges, and with whom the ultimate irresponsibility lies.
While Siemens is mentioned because its equipment was targeted by Stuxnet, all makers of intelligent, connected grid systems (and I'd certainly include grid and Smart Grid software and application vendors here as well) should have their feet held to the fire re: the security functionality of their products.
We can try to do that via regulation, or we can start asking, and then demanding it in RFPs and other sourcing docs. One way or another, solid security functionality is becoming a real requirement. Let's not pretend otherwise. And let's not let others pretend otherwise. Click HERE for the full post.
Photo credit: manpages on Flickr.com