The U.S. government is warning that critical infrastructure systems are at risk of being compromised or attacked in response to the public release of exploits for dozens of holes in four different supervisory control and data acquisition, or SCADA software products.
Saying he had no previous knowledge of SCADA systems before beginning his analysis "some months ago," Italian researcher Luigi Auriemma yesterday posted proof-of-concept software targeting Siemens Tecnomatix FactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS (Interactive Graphical SCADA System) and DATAC RealWin products to the BugTraq security e-mail list.
SCADA systems allow employees at utilities and other industrial plants to monitor and control sensors and operations.
"In technical terms, the SCADA software is just the same as any other software used everyday," Auriemma wrote, adding that he was able to exploit common bugs including exploit stack, heap and integer overflows, as well as perform arbitrary command executions and memory corruptions, modify format strings, and exploit design problems and other bugs. He told CNET in an e-mail this afternoon that he released 34 advisories, some of them covering multiple vulnerabilities.
The move prompted the U.S. government's ICS-CERT (Industrial Control System Computer Emergency Response Team) to swing into action and issue four different alerts for each of the affected SCADA products within 12 hours of Auriemma's disclosure.
"ICS-CERT recommends that users minimize network exposure for all control system devices. Control system devices should not directly face the Internet," the advisories said. "Locate control system networks and devices behind firewalls, and isolate them from the business network. If remote access is required, employ secure methods such as virtual private networks (VPNs)."
Asked what his motivation was, Auriemma said he did it to educate the research community and alert the software makers to the problems with their products. "For the security community (other people like me) it serves a lot because from a technical perspective the vulnerabilities I have released are interesting and very heterogeneous," he wrote. "From the point of view of the vendors, consider that they have had a security auditing of their software completely for free and with so much detail that they can fix the vulnerabilities on the fly."
The disclosure comes a week after Moscow-based security firm Gleg released its own software--dubbed "Agora_ SCADA Exploit Pack for CANVAS"--targeting 11 zero-day, or unpatched, SCADA holes, according to The Register. The Gleg Web site was inaccessible today, possibly due to denial-of-service attacks, Dan Goodin at The Register reported, however information on those exploits was posted on the SCADAhacker blog.
The disclosure follows last year's scare with the Stuxnet threat that targeted specific Siemens software used in industrial control operations that experts have said appears to have been written with nuclear facilities in Iran in mind. It was only a matter of time before hackers poked holes in more SCADA software used in refineries, gas pipelines, and other critical operations, experts say.
"I am not at all surprised about these vulnerabilities. The (Department of Homeland Security) puts on a great training session which points out a whole pile of vulnerabilities," Mike Ahmadi, co-founder of consultancy GraniteKey. "SCADA/ICS vulnerabilities are quite numerous, since the systems were not designed to be secure. They are designed to be reliable, and security tends to impact reliability if not properly implemented and managed."
Dale Peterson of Digital Bond, which does control system security assessments, said he examined about one-third of vulnerabilities from Auriemma and found them well documented and with adequate code and commands to compromise systems.
"There is a huge amount of legacy code out there with latent vulnerabilities waiting for smart guys like Luigi to find. Vendors that are making their software available for download have to expect that someone in the security research community, and probably some bad guys, will download the product just to find vulnerabilities and build exploits," Peterson wrote in a blog post. "ICS vendors, do you have products available for free download? Have they undergone any security testing? If not, prepare for the very likely experience of zero-days."
Even with a push from the ICS-CERT, it will take time for the affected vendors to fix the products, experts said.
"How long will it take to get patches for these vulnerabilities? We'll have to wait and see," PJ Coyle wrote on his Chemical Facility Security News blog. "Remember, though, the software development cycle started yesterday. Don't hold your breath; it takes time to fix these things."
The SCADA industry is transitioning from the legacy environment, in which systems were isolated from the Internet and focused on reliability instead of security, to a modern environment where the Internet is being leveraged to help improve efficiency. Security appears to be the casualty in the colliding of these two very different worlds.
"It's going to be some time before we can say we have a level of security with industrial control systems, where we can put a stamp on it and say we've got a good handle on this," Ahmadi said. "Eventually we'll get there. But it's not going to happen tomorrow or even a year from now."
Updated 3:42 p.m. PT to add Auriemma comment and clarify that there were 34 advisories, some of which cover multiple vulnerabilities.