Risk
3/24/2011
06:11 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Are Industrial Control Systems The New Windows XP

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.The story, as covered by our Mathew J. Schwartz yesterday in his story, SCADA Attack Code Released For 35 Vulnerabilities, sums it up well:

The vulnerable systems include Siemens Tecnomatix FactoryLink 8.0.1.1473 (six vulnerabilities, though one is DOS-only), Iconics Genesis32 and Genesis64 10.51 (13 vulnerabilities), 7-Technologies IGSS -- Interactive Graphical SCADA System -- 9.00.00.11059 (8 vulnerabilities), and DATAC RealWin 2.1 (8 vulnerabilities). US-CERT's Industrial Control Systems Cyber Emergency Response Team released four related security bulletins.

Most of the detailed vulnerabilities involve buffer overflows and other threats which, according to experts cited by Wired News, pose little danger except the threat of a system crash. But there are at least two exceptions: The Siemens software can also be made to download a file, raising the possibility of a remote code execution attack. In addition, the IGSS software is vulnerable to arbitrary file execution.

The security of these industrial systems - which help to manage chemical, manufacturing, energy, and distribution networks - is critical. That goes without saying, and many have been decrying the security of SCADA systems for years. Researchers I've interviewed in recent months have said that not only are the SCADA systems themselves inherently full of flaws (and who could argue after this week's vulnerability dump?), but that operators also fail to keep these systems adequately segmented from the Internet, enforce encrypted access, or even use strong authentication.

Stuxnet, especially, highlighted the dangers of such complacency.

The current sad state of affairs with SCADA security reminds me the pre-Windows XP Service Pack 2 days - when dozens of operating system vulnerabilities and worms hammered the operating system. The inherently insecure operating system required one of the most aggressive security overhauls of any operating system before - or since - just to make the software marginally more secure.

This week's disclosure is another sign that shows SCADA developers are going to have to undergo a similar evolution if they're to be trusted. These systems are going to have to be poked, prodded, and fuzzed by these vendors. And, if they don't, expect more vulnerability dumps like the one we saw this week - and more Stuxnets. Hopefully, the worm won't be aimed at U.S. systems next time.

For my security and technology observations throughout the day, find me in Twitter @georgevhulme.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.