US-CERT Issues Warnings On SCADA Security Vulnerabilities

The spotlight is once again shining on critical infrastructure security, this time due to the disclosure of nearly three dozen software vulnerabilities impacting a number of vendors.

Monday, security researcher Luigi Auriemma released proof-of-concept code for a spate of vulnerabilities affecting SCADA (supervisory control and data acquisition) software from Siemens, Iconics, DATAC Control International and 7-Technologies. In response, experts with US-CERTs Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) have issued four separate advisories warning companies of the discoveries as well as a fifth warning about another issue discovered separately.

SCADA software is used by companies to control and monitor processes at industrial plants and has been a source of particular interest for security researchers during the past several months due to the discovery of the infamous Stuxnet worm last year. According to Auriemma, the disclosure was necessary. The vulnerabilities, he explained, were part of an experiment that also included checking how much the security industry and ICS-CERT were interested in SCADA security.

Unfortunately there was absolutely no interest for these vulnerabilities and the only choice remained the good old full-disclosureICS-CERT has the power to do a lot for the communication and the partnership between the researchers and the vendors but it simply says that the researcher must do everything by himself...And all this for having his name credited on their advisories, the researcher told CRN in an e-mail. It sounds [like] a joke to me and I have already said it to ICS directly and repeated [it] when they have contacted me after my release of two days ago.

Sponsored post

The vulnerabilities in his findings ran the gamut from memory corruption to integer and stack overflow bugs.

Specifically, the flaws impacted Siemens Tecnomatix FactoryLink, Iconics GENESIS32 9.21 and GENESIS64 10.51, 7-Technologies IGSS and DATAC RealWin 2.1 (Build from DATAC.

Siemens, Iconics and 7-Technologies did not respond to CRNs request to comment before deadline regarding when patches would be available. However, DATAC Control International CEO Cyril Kerr told CRN the companys engineering team is looking into the problem, but that the issue concerns the demo version of the RealWin software (version 2.1.10) and older.

The downloadable version of RealWin is primarily used as a sales promotion tool, he explained.

RealWin is not our primary product, Kerr wrote in an e-mail. RealFlex 6 which uses the real-time operating system QNX is our flagship SCADA product used in mission critical applicationsThe demo version of RealWin is used to allow potential customers download from our site a copy of the RealWin SCADA software but without any drivers. Therefore, the demo version cannot be used in a real application.

We do have RealWin running on stand-alone applications like machine control where it is not connected to the internet nor would ever be in such applications, Kerr added. Where our customers connect to the net, we promote the use our flagship product RealFlex 6 which is extremely secure.

Next: SCADA Systems Segregated On Networks

According to Auriemma, almost all of the vulnerabilities require only basic skills to exploit, and some require no skills at all -- for example, one bug only requires an attacker type the desired command in the packet file he provided to execute it remotely. The good news, he noted, is that SCADA systems should be on segregated networks.

SCADA systems are intended to work in isolated private networks so nobody except the authorized users should be able to even "ping" the machines where are running the vulnerable [software], he added. If this happens [it] means that the security of the company has been already compromised before.

In addition to the bugs uncovered by Auriemma, ICS-CERT also also issued a warning about a vulnerability reported by independent researcher Rub´┐Żn Santamarta in BroadWin WebAccess, a Web-based HMI platform used in energy, manufacturing, and building automation applications. ICS-CERT said in its March 22 advisory that it has forwarded the researchers information to BroadWin.

Vulnerability assessment is one the first steps in any security process, so it's a good thing that the users of industrial control and SCADA systems are aware that these vulnerabilities exist, said Eric Knapp, NitroSecurity director of critical infrastructure markets.

The assessments allow companies to take extra caution in effectively securing these systems, such as testing and applying patches as they become available, properly isolating these systems within highly protected network zones and closely monitoring them for any signs of anomalies or suspicious activity, he added.

They should also assume that this is just the tip of the iceberg, he told CRN. SCADA and industrial control systems are designed to enjoy extremely long life-cycles, and until Stuxnet, security wasn't always a top design consideration. It's logical to assume that other vulnerabilities exist that haven't yet been discovered or disclosed. It's one more reason why proper isolation and monitoring of these systems is so crucial.