The agenda for the SANS Process Control & SCADA Security Summit 2009 has changed a bit and it’s definitely for the better.  I am now scheduled for a session at 1:40 PM, on Monday, February 2nd: In-Depth Discussion: SCADA HMI Software Security Threats with Wesley McGrew.

I plan on using this session to present a talk entitled “Vulnerabilities in SCADA Human-Machine Interface Software”:

In this presentation, I will discuss the attack surface of HMI software, why it might be an attractive target for attackers (and penetration testers!), and how these risks might be mitigated, both by software vendors and end users.  

As an example during this presentation, I will be going through the details of a specific set of vulnerabilities in a widely-used HMI software product.  These vulnerabilities were disclosed to the vendor about 6 months ago, and this will be the first time that they will see public disclosure.  The problems are fundamental to the architecture of this product, easy to understand and follow, and serve as an excellent illustration of the points we’ll be discussing in this session :-) .

If you’re interested in how HMI software fits into SCADA security, a user or developer of HMI software looking for mitigation strategies, or a penetration tester looking for new ways of testing target systems, then I think this would be an interesting talk for you to attend at the Summit.  I’m going to try to keep things interactive with the attendees, and I think we’re going to have a lot of fun.

Get in touch with me if you plan on attending this talk!  I’d love to hear from you.  I’ll also have the slides posted here on my blog once the talk is over.

  7 Responses to “HMI Vulnerabilities at SANS SCADA Summit 2009”

  1. Great topic. I plan to attend your talk. Looking forward to meeting you. Wally Magda,

  2. I didn’t realize post was going public. Please do not publish phone number in text of message. Thanks, Wally

  3. Hi Wally! I’m looking forward to it too. See you there!

  4. Wally: no problem, got your number, filed it, and removed it from the message :)

  5. Hi there,

    I just read your blog. Great job btw. Any chance of getting a copy of these slides? I highly appreciate it if you could please email me a copy on: emailfrancis{at}

    Keep up the good work. Cheers.

    • Hi Francis! Unfortunately, I won’t be able to provide the slides.

      On the bright side, information about the vulnerabilities discussed in the slides is available in the US-CERT entry, along with the resources linked from it:

      From that, you should be able to figure out whatever it is you need to know about it.

  6. [...] There is also the threat to non-cyber infrastructure such as the power grid, where they site SCADA as an example. Last but not least they mention their concerns on privacy. Unfortunately for the [...]

 Leave a Reply



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

© 2012 McGrew Security Suffusion theme by Sayontan Sinha