Researcher discloses zero-day flaws in SCADA systems
Flaws disclosed in products from Rockwell, five other vendors
Computerworld - An Italian security researcher this week disclosed details of several zero-day vulnerabilities he discovered in Supervisory Control and Data Acquisition (SCADA) products from multiple vendors, a disclosure that's likely to reinforce concerns about critical infrastructure weaknesses.
This is the second such disclosure by researcher Luigi Auriemma this year. In March, he disclosed similar vulnerabilities in SCADA products from Siemens, Iconics, 7-Technologies and Datac. His disclosure prompted the US-Computer Emergency Response Team (US-CERT) to issue four alerts warning about the vulnerabilities.
The most recent flaws discovered by Auriemma affect SCADA products from six vendors, including Rockwell Automation, Cogent Datahub, Measuresoft and Progea. Several of the flaws could enable remote execution attacks and denial-of-service attacks against the vulnerable systems.
In emailed comments, Auriemma said that almost all of the vulnerabilities he discovered are remote code execution flaws that allow attackers to run code of their choice on the vulnerable systems. Only one of the flaws is a denial-of-service vulnerability. It's still unclear whether the flaw in Rockwell's product could allow code execution, Auriemma said.
The researcher described some of the flaws as being easy to exploit. With "one of them, [it] is just enough to type the command you want to execute remotely while the others are classical easy-to-exploit bugs. In some cases, the exploitation is a bit more difficult," Auriemma said.
Auriemma said that he has not contacted any of the vendors about his findings. "This was only a quick experiment in which I dedicated some minutes for each product." At least three of the vendors have already issued fixes, while Rockwell is working on one, he said.
The disclosures prompted US-CERT's Industrial Control Systems Cyber Emergency Response Team to issue advisories about the flaws.
SCADA systems are used to control critical equipment at power companies, manufacturing facilities, water treatment plants and elsewhere. Security analysts fear that attacks against such systems could cripple critical infrastructure services such as electricity and public water supplies.
The Stuxnet worm, which exploited a weakness in a Siemens control system to disrupt operations at an Iranian nuclear plant is often cited as an example of the kind of damage that can be wreaked via vulnerable SCADA systems.
The latest vulnerabilities mostly exist in free or low-cost Windows-based engineering workstations that are used as interfaces to backend control systems, according to an analysis by Digital Bond, a consulting firm specializing in control system security.
One of the vulnerable products -- Rockwell's RSLogix system -- was described by Digital Bond as a workstation used to configure industrial control systems that are deployed widely in critical infrastructure. Most of the others are smaller, add-on and data transfer products that are "used in either very small systems or as an addition/accessory to a larger system," Digital Bond said.
All of the vulnerabilities disclosed by Auriemma exist in the so-called Human Machine Interface (HMI) systems used to manage industrial control systems, said Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat.
"Vulnerabilities in HMI systems are not novel," but they should not be minimized, he said. Such vulnerabilities can be used to get at the downstream control system, he said.
"You can use the HMI to get to the control device and you can use the control device to get to the HMI," he said. Without further analysis, it is too soon to say whether the flaws discovered by Auriemma are really critical or not, he said. A lot depends on the kind of applications for which the affected systems are used, he said.
"Rockwell is a major manufacturer. They make a lot of systems, some of which are used in really critical applications," he added.
A spokesman from Rockwell said the company would release a statement soon.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!