Risk
3/24/2011
06:11 PM
George V. Hulme
George V. Hulme
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Are Industrial Control Systems The New Windows XP

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.The story, as covered by our Mathew J. Schwartz yesterday in his story, SCADA Attack Code Released For 35 Vulnerabilities, sums it up well:

The vulnerable systems include Siemens Tecnomatix FactoryLink 8.0.1.1473 (six vulnerabilities, though one is DOS-only), Iconics Genesis32 and Genesis64 10.51 (13 vulnerabilities), 7-Technologies IGSS -- Interactive Graphical SCADA System -- 9.00.00.11059 (8 vulnerabilities), and DATAC RealWin 2.1 (8 vulnerabilities). US-CERT's Industrial Control Systems Cyber Emergency Response Team released four related security bulletins.

Most of the detailed vulnerabilities involve buffer overflows and other threats which, according to experts cited by Wired News, pose little danger except the threat of a system crash. But there are at least two exceptions: The Siemens software can also be made to download a file, raising the possibility of a remote code execution attack. In addition, the IGSS software is vulnerable to arbitrary file execution.

The security of these industrial systems - which help to manage chemical, manufacturing, energy, and distribution networks - is critical. That goes without saying, and many have been decrying the security of SCADA systems for years. Researchers I've interviewed in recent months have said that not only are the SCADA systems themselves inherently full of flaws (and who could argue after this week's vulnerability dump?), but that operators also fail to keep these systems adequately segmented from the Internet, enforce encrypted access, or even use strong authentication.

Stuxnet, especially, highlighted the dangers of such complacency.

The current sad state of affairs with SCADA security reminds me the pre-Windows XP Service Pack 2 days - when dozens of operating system vulnerabilities and worms hammered the operating system. The inherently insecure operating system required one of the most aggressive security overhauls of any operating system before - or since - just to make the software marginally more secure.

This week's disclosure is another sign that shows SCADA developers are going to have to undergo a similar evolution if they're to be trusted. These systems are going to have to be poked, prodded, and fuzzed by these vendors. And, if they don't, expect more vulnerability dumps like the one we saw this week - and more Stuxnets. Hopefully, the worm won't be aimed at U.S. systems next time.

For my security and technology observations throughout the day, find me in Twitter @georgevhulme.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4840
Published: 2014-07-28
Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors.

CVE-2014-2974
Published: 2014-07-28
Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

CVE-2014-2975
Published: 2014-07-28
Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter.

CVE-2014-3303
Published: 2014-07-28
The web framework in Cisco WebEx Meetings Server does not properly restrict the content of query strings, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81713.

CVE-2014-3304
Published: 2014-07-28
The OutlookAction Class in Cisco WebEx Meetings Server allows remote attackers to enumerate user accounts by entering crafted URLs and examining the returned messages, aka Bug ID CSCuj81722.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.