Ruben Santamarta, a security researcher at security consultancy firm IOActive, who previously reported vulnerabilities in industrial control systems (ICS), believes that business models based on nondisclosure policies are here to stay until software companies make them unsustainable by securing their products.
"This business model can be reprehensible or not, that depends on your ethical point of view," Santamarta said Monday via email. "Regulated or not, as long as there are buyers, there will be sellers, unless we reach the point where there is nothing to sell. Until that moment, I think this kind of companies is something the sector has to live with."
Portnoy said that it was easy for him to find vulnerabilities in SCADA software because many of the products he tested didn't even have rudimentary security mitigations built in.
"I think many of these vendors should be forced to perform outsourced code review, at the very least -- especially considering the implications if their software was leveraged by an attacker to gain access to the sensitive systems they support," he said.
"I don't necessarily think SCADA vendors should be forced to perform outsourced code reviews, but looking at the vulnerabilities being discovered, it may be in their best interest to do so," Eiram said. "Many SCADA vendors seem to require a solid SDL [security development lifecycle program]."
"The ICS industry cannot completely rely on the good intentions of a bunch of security researchers to secure their products," Santamarta said. "We have to take into account that if someone, who has no previous knowledge about your product, is able to find a flaw, probably someone with the proper knowledge is doing something wrong."
Sign up for CIO Asia eNewsletters.