Researcher finds 20-plus flaws in SCADA software
Moves to indentify and report SCADA software vulnerabilities kept secret and sold by another security firm
IDG News Service - A security researcher claims that he found 23 vulnerabilities in industrial control software from several vendors after a different security company last week showcased vulnerabilities in applications from some of the same manufacturers, but chose not to report them.
The vulnerabilities were discovered by Aaron Portnoy, vice president of research at startup security firm Exodus Intelligence, and affect SCADA (supervisory control and data acquisition) software from Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton. This type of software is used to control industrial processes in critical infrastructure, manufacturing plants, and other industrial facilities.
Last week, ReVuln, a Malta-based vulnerability research firm, announced that it had found critical vulnerabilities in SCADA software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, the security company said that it would not report the flaws to the affected vendors or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security.
ReVuln sells information about the vulnerabilities it finds to government agencies and other select private buyers through a subscription-based service.
"I decided to research SCADA software after reading the mentioned articles and thought that it was dangerous to force vendors to purchase the ReVuln feed in order to protect critical infrastructure," Portnoy said Monday via email.
ReVuln's subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers, ReVuln's co-founder Luigi Auriemma said Monday via email. Auriemma defended his company's decision not to report vulnerabilities and said that this business model is used by other vulnerability research companies and brokers as well.
The practice of selling information about unreported vulnerabilities to private buyers is not new in the security research community. However, it's only recently that some companies began advertising such services publicly. For example, French vulnerability research firm VUPEN was criticized by digital rights advocates after openly admitting that it sells exploits to NATO governments without reporting the vulnerabilities to vendors.
Portnoy presented his findings in a blog post published on Monday. They included seven remote code execution flaws, 14 denial of service issues and some other vulnerabilities that can allow attackers to download, upload and delete arbitrary files from systems running the vulnerable software.
"The most interesting thing about these bugs was how trivial they were to find," Portnoy wrote in the blog post. "The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts