The situation is reminiscent of what happened to Windows a decade ago, when hackers began picking apart Microsoft's products, McCorkle said. Industrial vendors are "basically just 10 years behind the curve on security. It's like we're going back to the '90s," he said.
When researchers first turned to Microsoft in the late 1990s, the software maker was caught flat-footed. It was only after several years of antagonism between Redmond and the hackers ripping apart its software that Microsoft figured out how to work with hackers.
Researchers became so tired of the issues they uncovered being ignored that they started to release the technical details in order to force Microsoft to release a patch. The idea of this pattern happening over again in industrial systems is worrying. It's an area where a security flaw could lead to a chemical spill or a widespread power blackout, and where it can take months to schedule and install patches.
Just this week, a researcher named Luigi Auriemma sent the ICS-CERT team scrambling when he published details on four new vulnerabilities in industrial products, something he'd already done several times in the past year. Auriemma, an independent researcher in Milan, believes posting technical details is the quickest way to get things fixed. "Full disclosure is the best way to get attention on this matter," he said in an instant-message interview.
One former INL staffer who worked at the Control Systems Security Program during the time Finisterre released his Citec code says that there were problems in the early days. "Industry has already had difficult interactions with the 'hacker' culture when these first few vulnerabilities for industrial control systems surfaced a few years ago," said Robert Huber, co-founder of Critical Intelligence, an Idaho company that does research into industrial systems threats. "Back then, the vendors were completely unprepared for these disclosures," he said in an email interview.
But Huber thinks things are improving. "Many security researchers have worked with the vendors, or through an intermediary, to disclose vulnerabilities," he said. "Now, that said, the sheer number and interest may drive more researchers into the space to make a name for themselves without following the disclosure process, resulting in more vulnerabilities that are not coordinated.
"Only time will tell," he said.