An Italian researcher has uncovered at least a dozen security flaws in software used in utilities and other critical infrastructure systems, prompting security advisories from the U.S. government.
Luigi Auriemma released information about the previously unknown vulnerabilities and proof of concept exploit code earlier this week on his Web site. He has been prolific, releasing a whopping 34 advisories--some with multiple vulnerabilities--in March, along with a handful or more each month since then.
The holes affect different SCAA (supervisory control and data acquisition) products that are used in the energy, water, wastewater, oil-and-gas, manufacturing, and financial industries, according to the advisories from ICS-CERT (Industrial Control Systems-Computer Emergency Readiness Team). Some of the vulnerabilities could allow for remote code execution or denial of service, Auriemma's site said.
The most serious vulnerability affects PLC (programmable logic controller) software used to control physical devices, said Justin Searle managing partner at UtiliSec, a consulting firm for smart-grid and electricity companies.
"He's finding a bunch of software that hasn't really considered security before," Searle said. "A lot of vendors still believe that their products are protected in spaces where attackers can't get to."
Luigi's releases show that software written by most SCADA and DCS (distributed control system) vendors did not follow good security development life-cycle and quality-control testing processes, according to Dale Peterson, founder of consultancy Digital Bond, who wrote about Auriemma's latest releases in a blog post.
"Many of the bigger ICS vendors have addressed this issue in recent years, and the new product-protocol stacks are often more robust," Peterson said in an e-mail. "That said, there is a ton of legacy stuff out there with this problem and a large number of vendors still have not seen the light."
SCADA security issues have risen to the forefront with researchers demonstrating attacks at security conferences and the emergence last year of Stuxnet, a sophisticated threat that targeted specific Siemens software used in industrial control operations. Stuxnet appears to have been written with nuclear facilities in Iran in mind. It was only a matter of time before hackers poked holes in more SCADA software used in refineries, gas pipelines, and other critical operations, experts say.
Chris Wysopal, chief technology officer at Veracode, noted how prolific Auriemma is, and how fast--the 30-year-old Italian researcher says he only recently became acquainted with SCADA software and can find a bug in a matter of days or less.
"Finding zero-day (previously unknown holes) in SCADA software is like nuking fish in a barrel," Wysopal quipped.
"People purchasing these systems need to push back on suppliers and ask them what they are doing to secure the system before selling it to customers," he added.
In an e-mail interview with CNET today, Auriemma said this week's batch of vulnerabilities were very easy to find, in a period of time so short it was "ridiculous." And he said he has more up his sleeve.
"I have, for sure, ideas of doing something better on more serious products in the next weeks," he said. "And there is already a big vendor in which I found some code execution vulnerabilities in January that for the moment are in the hands of TippingPoint," a firm that pays researchers for reporting bugs.