More SCADA Security Threats: Where There’s Smoke, There’s Fire

One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.

So what about the four SCADA / HMI products that have Luigi Auriemma’s 34 Zero-day vulnerabilities? Would any of those have additional vulnerabilities, just waiting to be exposed to the world? After all, Luigi claims to have spent only two days per product. That isn’t much time – what if someone else started looking harder. So we decided to give it a shot.

Additional Vulnerabilities are Easy to Find

Sure enough, Eric and I began working on one of the flawed HMI packages last night. Within 5 minutes during my first scan, I found that it is susceptible to directory traversal attacks. In other words, the HMI software is allowing unrestricted access to most of the file system, including critical password files. Once someone has compromised these files, additional remote attacks are trivial.

Unlike Luigi, I filed a report with the ICS-CERT a few hours ago, copying the vendor.  CERT immediately followed up with my submittal, assigned it an ICS-VU tracking identifier, and requested some additional data from my research to review with the vendor.

Responsible Disclosure is Key

We believe that responsible disclosure is important. All ICS/SCADA vendors need time to fix their products and get their patches distributed to the end user community. All SCADA/ICS end users need time to deploy those patches. Otherwise we just let the bad guys have a multi-week jump on the companies running critical control systems. Unless you are a terrorist, that is very bad.

But the point of this blog is that even with responsible disclosure, the bad guys now know where to go to look for SCADA security holes. The talented ones don’t need the specific exploits – they just need to get their hands on any of the four SCADA products. Actually, they probably just need to get their hands on any SCADA HMI product – the number of vendors with clear records is getting smaller by the day.

We repeat what Eric said at the end of his last blog article:  ICS Community, now is the time to step up and work together to secure our critical systems.

This article was written in collaboration with Eric Byres.

Joel Langill

Practical SCADA Security thanks Joel for his contribution.


RSS Feed Subscribe to the "Practical SCADA Security" news feed



The security concerns with such high quality products are not unheard of. But it's rather surprising that these critical software are subjected to so many vulnerabilities  The work that you did with HMI package in exposing such security threats is indeed commendable.Hopefully it triggers the production of more secure products in future.

Thank you, Mr. Alan, for recognizing our work, and the fact that the role of security researchers is not to find flaws that can be exploited, but find flaws in order to correct them BEFORE they are exploited by a malicious actor.

Unfortunately, so much of the software that we use in our ICS products today is the result of code "carry over" from older versions that may not have been developed placing security practices at such a priority as it is today. No software developer could afford to completely re-write their entire ICS application suite - so we have to take it one step at a time and begin the process of correcting these legacy flaws.

This is one reason I am such a huge supporter of the DHS ICS-CERT document 'Cyber Security Procurement Language for Industrial Control Systems'. Since we don't live in a perfect world, this document helps those purchasing and installing ICS's to work with their vendors in early identification and correction of potential high-risk areas. This document, coupled with other solid risk-based defense-in-depth strategies is the best way we can help secure industrial systems from the negative consequences of a cyber event.

Add new comment