After just a few hours work, one security researcher found more than 20 flaws in various SCADA packages.
In a continuous movement to ensure SCADA software is secure, these programs have become a target for security researchers as well as attackers.
While quite a few companies refuse to acknowledge they have suffered an attack, there have been attacks and what keeps attackers at bay is a defense in depth program. The classic case is Stuxnet virus, which was a well-orchestrated attack by Israel and the United States that hit the Natanz enrichment facility in Iran.
And while most security researchers still focus mainly on Web apps or widely deployed enterprise software, some have taken an interest in SCADA applications which often cover the critical infrastructure. Earlier this year, a pair of researchers disclosed vulnerabilities in the Tridium Niagara software, prompting ICS-CERT, which tracks flaws in SCADA and ICS (industrial control system) software, to issue an alert.
Now, a researcher at Exodus Intelligence, Aaron Portnoy, said after spending a few hours looking for bugs in SCADA applications, he came up with more than 20, several of which are remote code-execution vulnerabilities. The vice president of research at Exodus said finding the flaws was not all that taxing. Portnoy asked the question, “What does a flightless bird and SCADA software have in common?”
The answer is “They’re both easy targets.”
“The most interesting thing about these bugs was how trivial they were to find, Portnoy said in a blog post. “The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself.”
Portnoy said he decided to go after the SCADA apps, which he’d never researched before, after seeing a video posted by ReVuln last week. In the video, ReVuln researchers said they have server-side remote code-execution flaws in software from GE, Schneider Electric, Siemens, Kaskad, ABB/Rockwell and Eaton. Portnoy also found flaws in Schneider Electric, Rockwell and Eaton apps, as well as in software from Indusoft and RealFlex.
ReVuln does not disclose vulnerabilities to vendors, but instead keeps the information to itself and sells it to customers. Portnoy, meanwhile, said he plans to disclose all of the bugs he found to ICS-CERT. Of the 23 bugs he discovered, Portnoy said that seven of them were remotely exploitable code execution flaws.