Researchers have reportedly found 23 vulnerabilities in industrial control software, specifically Scada software, that expose machinery to the risk of either remote code execution or denial-of-service attacks.
According to a blog by Exodus Intelligence, the discovery was made after fellow vulnerability researchers ReVuln "discovered vulnerabilities in Scada software and decided not to inform the affected vendors, but rather sell the information privately to their customers".
Exodus Intelligence vice president of research Aaron Portnoy said: “On Thanksgiving day I had a morning's worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many Scada zero-day vulnerabilities as possible. As we at Exodus responsibly report all vulnerabilities we deal with, my goal was to report any such findings for free to ICS-Cert, the group responsible for collaborating with Scada vendors to ensure vulnerabilities are fixed.”
He said he found 23 in technology from Rockwell Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton.
“The most interesting thing about these bugs was how trivial they were to find. The first exploitable zero-day took a mere seven minutes to discover from the time the software was installed,” he said.
“For someone who has spent a lot of time auditing software used in the enterprise and consumer space, Scada was absurdly simple in comparison. The most difficult part of finding Scada vulnerabilities seems to be locating the software itself. I plan to put in a request to the ICS-Cert that they perhaps establish a repository of Scada software for researchers such as myself to audit (provided they agree to disclose the vulnerabilities, that is).”
Ross Brewer, vice president and managing director of international markets at LogRhythm, said: “With Scada software being primarily responsible for critical operations and national infrastructures, an attack of this nature could not only result in the loss of data, but could also cause damage to physical assets and in certain scenarios, the loss of life.
“This latest discovery of a host of Scada vulnerabilities should therefore make it clear to organisations and governments alike that lax security is never an option and they must urgently re-examine the tools that are currently defending our control systems.”
Matt Middleton-Leal, regional director for UK & Ireland at Cyber-Ark, said: “If leveraged, these vulnerable access points can be exploited to remotely wreak havoc by disrupting power supplies, impeding oil and gas pipeline flows, or even by installing malware, which can lurk hidden in the system and re-emerge later for follow-on impact.”