Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/24/2011
06:11 PM
George V. Hulme
George V. Hulme
Commentary
50%
50%

Are Industrial Control Systems The New Windows XP

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.

Earlier this week a security researcher posted nearly three dozen vulnerabilities in industrial control system software to a widely read security mailing list. The move has Supervisory Control and Data Acquisition systems (SCADA) system operators scrambling, and the US CERT issuing warnings.The story, as covered by our Mathew J. Schwartz yesterday in his story, SCADA Attack Code Released For 35 Vulnerabilities, sums it up well:

The vulnerable systems include Siemens Tecnomatix FactoryLink 8.0.1.1473 (six vulnerabilities, though one is DOS-only), Iconics Genesis32 and Genesis64 10.51 (13 vulnerabilities), 7-Technologies IGSS -- Interactive Graphical SCADA System -- 9.00.00.11059 (8 vulnerabilities), and DATAC RealWin 2.1 (8 vulnerabilities). US-CERT's Industrial Control Systems Cyber Emergency Response Team released four related security bulletins.

Most of the detailed vulnerabilities involve buffer overflows and other threats which, according to experts cited by Wired News, pose little danger except the threat of a system crash. But there are at least two exceptions: The Siemens software can also be made to download a file, raising the possibility of a remote code execution attack. In addition, the IGSS software is vulnerable to arbitrary file execution.

The security of these industrial systems - which help to manage chemical, manufacturing, energy, and distribution networks - is critical. That goes without saying, and many have been decrying the security of SCADA systems for years. Researchers I've interviewed in recent months have said that not only are the SCADA systems themselves inherently full of flaws (and who could argue after this week's vulnerability dump?), but that operators also fail to keep these systems adequately segmented from the Internet, enforce encrypted access, or even use strong authentication.

Stuxnet, especially, highlighted the dangers of such complacency.

The current sad state of affairs with SCADA security reminds me the pre-Windows XP Service Pack 2 days - when dozens of operating system vulnerabilities and worms hammered the operating system. The inherently insecure operating system required one of the most aggressive security overhauls of any operating system before - or since - just to make the software marginally more secure.

This week's disclosure is another sign that shows SCADA developers are going to have to undergo a similar evolution if they're to be trusted. These systems are going to have to be poked, prodded, and fuzzed by these vendors. And, if they don't, expect more vulnerability dumps like the one we saw this week - and more Stuxnets. Hopefully, the worm won't be aimed at U.S. systems next time.

For my security and technology observations throughout the day, find me in Twitter @georgevhulme.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...