Risk
3/24/2011
06:11 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Are Industrial Control Systems The New Windows XP

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.The story, as covered by our Mathew J. Schwartz yesterday in his story, SCADA Attack Code Released For 35 Vulnerabilities, sums it up well:

The vulnerable systems include Siemens Tecnomatix FactoryLink 8.0.1.1473 (six vulnerabilities, though one is DOS-only), Iconics Genesis32 and Genesis64 10.51 (13 vulnerabilities), 7-Technologies IGSS -- Interactive Graphical SCADA System -- 9.00.00.11059 (8 vulnerabilities), and DATAC RealWin 2.1 (8 vulnerabilities). US-CERT's Industrial Control Systems Cyber Emergency Response Team released four related security bulletins.

Most of the detailed vulnerabilities involve buffer overflows and other threats which, according to experts cited by Wired News, pose little danger except the threat of a system crash. But there are at least two exceptions: The Siemens software can also be made to download a file, raising the possibility of a remote code execution attack. In addition, the IGSS software is vulnerable to arbitrary file execution.

The security of these industrial systems - which help to manage chemical, manufacturing, energy, and distribution networks - is critical. That goes without saying, and many have been decrying the security of SCADA systems for years. Researchers I've interviewed in recent months have said that not only are the SCADA systems themselves inherently full of flaws (and who could argue after this week's vulnerability dump?), but that operators also fail to keep these systems adequately segmented from the Internet, enforce encrypted access, or even use strong authentication.

Stuxnet, especially, highlighted the dangers of such complacency.

The current sad state of affairs with SCADA security reminds me the pre-Windows XP Service Pack 2 days - when dozens of operating system vulnerabilities and worms hammered the operating system. The inherently insecure operating system required one of the most aggressive security overhauls of any operating system before - or since - just to make the software marginally more secure.

This week's disclosure is another sign that shows SCADA developers are going to have to undergo a similar evolution if they're to be trusted. These systems are going to have to be poked, prodded, and fuzzed by these vendors. And, if they don't, expect more vulnerability dumps like the one we saw this week - and more Stuxnets. Hopefully, the worm won't be aimed at U.S. systems next time.

For my security and technology observations throughout the day, find me in Twitter @georgevhulme.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-2214
Published: 2015-03-05
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.

CVE-2015-2215
Published: 2015-03-05
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

CVE-2015-2216
Published: 2015-03-05
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.

CVE-2015-2218
Published: 2015-03-05
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a w...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.