Researcher discloses zero-day flaws in SCADA systems

Flaws disclosed in products from Rockwell, five other vendors

An Italian security researcher this week disclosed details of several zero-day vulnerabilities he discovered in Supervisory Control and Data Acquisition (SCADA) products from multiple vendors, a disclosure that's likely to reinforce concerns about critical infrastructure weaknesses.

This is the second such disclosure by researcher Luigi Auriemma this year. In March, he disclosed similar vulnerabilities in SCADA products from Siemens, Iconics, 7-Technologies and Datac. His disclosure prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities.

The most recent flaws discovered by Auriemma affect SCADA products from six vendors, including Rockwell Automation, Cogent Datahub, Measuresoft and Progea. Several of the flaws could enable remote execution attacks and denial-of-service attacks against the vulnerable systems.

In emailed comments, Auriemma said that almost all of the vulnerabilities he discovered are remote code execution flaws that allow attackers to run code of their choice on the vulnerable systems. Only one of the flaws is a denial-of-service vulnerability. It's still unclear whether the flaw in Rockwell's product could allow code execution, Auriemma said.

The researcher described some of the flaws as being easy to exploit. With "one of them, [it] is just enough to type the command you want to execute remotely while the others are classical easy-to-exploit bugs. In some cases, the exploitation is a bit more difficult," Auriemma said.

Auriemma said that he has not contacted any of the vendors about his findings. "This was only a quick experiment in which I dedicated some minutes for each product." At least three of the vendors have already issued fixes, while Rockwell is working on one, he said.

The disclosures prompted US-CERT's Industrial Control Systems Cyber Emergency Response Team to issue advisories about the flaws.

SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and elsewhere. Security analysts fear that attacks against such systems could cripple critical infrastructure services such as electricity and public water supplies.

The Stuxnet worm, which exploited a weakness in a Siemens control system to disrupt operations at an Iranian nuclear plant is often cited as an example of the kind of damage that can be wreaked via vulnerable SCADA systems.

The latest vulnerabilities mostly exist in free or low-cost Windows-based engineering workstations that are used as interfaces to backend control systems, according to an analysis by Digital Bond, a consulting firm specializing in control system security.

One of the vulnerable products -- Rockwell's RSLogix system -- was described by Digital Bond as a workstation used to configure industrial control systems that are deployed widely in critical infrastructure. Most of the others are smaller, add-on and data transfer products that are "used in either very small systems or as an addition/accessory to a larger system," Digital Bond said.

All of the vulnerabilities disclosed by Auriemma exist in the so-called Human Machine Interface (HMI) systems used to manage industrial control systems, said Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat.

"Vulnerabilities in HMI systems are not novel," but they should not be minimized, he said. Such vulnerabilities can be used to get at the downstream control system, he said.

"You can use the HMI to get to the control device and you can use the control device to get to the HMI," he said. Without further analysis, it is too soon to say whether the flaws discovered by Auriemma are really critical or not, he said. A lot depends on the kind of applications for which the affected systems are used, he said.

"Rockwell is a major manufacturer. They make a lot of systems, some of which are used in really critical applications," he added.

A spokesman from Rockwell said the company would release a statement soon.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies