Researchers expose flaws in popular industrial control systems

Proof-of-concept exploits for multiple vulnerabilities in SCADA products were demonstrated at the 2012 SCADA Security Scientific Symposium

Researchers showcased unpatched security flaws in software used to control critical industrial systems by oil, gas, water and electrical distribution plants at the 2012 SCADA Security Scientific Symposium (S4) on Thursday.

The vulnerabilities ranged from information disclosure and privilege escalation bugs to remote denial-of-service (DoS) and arbitrary code execution flaws.

The research team, which included Reid Wightman, Dillon Beresford, Jacob Kitchel, Rubén Santamarta and two other researchers who chose to remain anonymous, worked as part of a project called Basecamp that was sponsored by industrial control systems (ICS) security firm Digital Bond.

The tested products were Control Microsystems' SCADAPack, the General Electric D20ME, the Koyo / Direct LOGIC H4-ES, Rockwell Automation's ControlLogix and MicroLogix, the Schneider Electric Modicon Quantum and Schweitzer's SEL-2032.

The affected vendors were not notified in advance about the discovered vulnerabilities and the proof-of-concept exploits showcased at S4 are being integrated into the popular Metasploit penetration testing framework.

"We are hoping that Project Basecamp will be a Firesheep moment for PLC's [programmable logic controllers]," said Reid Wightman, a Digital Bond security consultant and Basecamp project lead.

The Firesheep extension for Firefox, which can hijacking people's online accounts when they use open wireless networks, is credited with pushing major online service providers like Google, Facebook, Twitter and Hotmail to add support for persistent HTTPS connections.

Project Basecamp hopes to trigger a similar reaction from SCADA (supervisory control and data acquisition) software developers, whose products have largely been overlooked by the security research community until the Stuxnet industrial sabotage worm emerged in 2010.

Stuxnet, which is considered by many the most sophisticated malware of all times, exploited flaws in SCADA software from SIemens in order to inject malicious code in PLCs used to control uranium enrichment centrifuges at Iran's Natanz nuclear facility.

"For a long time this kind of software [SCADA] has been 'under the radar', living a quiet existence," said Rubén Santamarta, one of the Project Basecamp contributors. "But lately some researchers have been busy targeting ICS products and as a consequence dozens of vulnerabilities emerged in a relatively short time window."

"It has been a 'shock' for the industrial sector, I'm not sure whether they were really prepared to deal with that scenario," Santamarta said. "As a note, we should realize that probably their customers were not asking for security either."

Many of the security problems uncovered by Project Basecamp stem from design flaws and a lot of SCADA products have undocumented features that can be abused for malicious purposes.

"It's not rare to see an industrial software that uses hardcoded accounts or services that look almost like backdoors," said Luigi Auriemma, an independent security researcher who identified and reported SCADA vulnerabilities before. When these features are found, most of the time the only solution is to remove them, he said.

Auriemma believes that the public disclosure of unpatched vulnerabilities, known as zero days, coupled with the activity of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), has had a positive effect on vendors and pushed them to address some of the problems.

However, a more proactive approach like taking security into consideration when designing these SCADA products in the first place, is needed. "It will take time but I strongly believe that security will be seen as a fundamental key as well as an added value for any industrial device in the near future," Santamarta said.

ICS-CERT has already published advisories for many vulnerabilities disclosed by Project Basecamp, and Digital Bond has worked with Tenable to create detection plugins for the Nessus vulnerability scanner.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?