The agenda for the SANS Process Control & SCADA Security Summit 2009 has changed a bit and it’s definitely for the better. I am now scheduled for a session at 1:40 PM, on Monday, February 2nd: In-Depth Discussion: SCADA HMI Software Security Threats with Wesley McGrew.
I plan on using this session to present a talk entitled “Vulnerabilities in SCADA Human-Machine Interface Software”:
In this presentation, I will discuss the attack surface of HMI software, why it might be an attractive target for attackers (and penetration testers!), and how these risks might be mitigated, both by software vendors and end users.
As an example during this presentation, I will be going through the details of a specific set of vulnerabilities in a widely-used HMI software product. These vulnerabilities were disclosed to the vendor about 6 months ago, and this will be the first time that they will see public disclosure. The problems are fundamental to the architecture of this product, easy to understand and follow, and serve as an excellent illustration of the points we’ll be discussing in this session .
If you’re interested in how HMI software fits into SCADA security, a user or developer of HMI software looking for mitigation strategies, or a penetration tester looking for new ways of testing target systems, then I think this would be an interesting talk for you to attend at the Summit. I’m going to try to keep things interactive with the attendees, and I think we’re going to have a lot of fun.
Get in touch with me if you plan on attending this talk! I’d love to hear from you. I’ll also have the slides posted here on my blog once the talk is over.