Researchers demonstrate tragic state of SCADA security
Since the discovery of Stuxnet, we’ve been hearing from a variety of researchers about security vulnerabilities in SCADA computer systems. While some researchers such as Luigi Auriemma occasionally share with the public entire batches of SCADA flaws and PoC attacks for exploiting them, others get pressured by authorities and manufacturers into canceling their lectures about their discoveries.
But last week, at the SCADA Security Scientific Symposium held in Miami, visitors had the opportunity to hear a damning presentation held by researchers grouped around Project Basecamp which revealed that their testing of six widely used programmable logic controllers (PLCs) resulted in the discovery of alarming security bugs that are mostly design flaws and (even!) features, and of the fact that some of them can’t even take a probing without crashing.
One of the devices, the Control Microsystems’ SCADAPack, bricked early on into testing. The remaining five (General Electric’s D20ME, Koyo’s Direct LOGIC H4-ES, Rockwell Automation’s Allen-Bradley ControlLogix and Allen-Bradley MicroLogix, Schneider Electric’s Modicon Quantum, and Schweitzer’s SEL-2032) displayed a dazzling array of back door accounts, old hardware and firmware, lousy security controls, configuration files easily obtainable by attackers, buffer overflow and remotely exploitable vulnerabilities, unexpected crashes, weak password implementation and authentication protection, and inability to upload custom firmware:
ThreatPost reports that despite the reservations of some security experts that have questioned the researchers’ action of making this information public before sharing it with the vendors, most industrial control security experts are satisfied that someone has finally pointed out these things they knew for years.
“A large percentage of these vulnerabilities the vendor already knows about and has chosen to live with, so this is not news to them,” commented Dale Peterson, CEO of SCADA security firm Digital Bond, which organized the project, and said that the best way to avoid uncomfortable disclosures is to do a better job making secure products.
He expressed his belief that this presentation should be the moment when SCADA systems and PLC vendors finally realize that they have to take security more seriously. For their part, the researchers collaborated with Rapid 7 and Tenable in order to create test modules for the Metasploit Framework and the Nessus scanner for these vulnerabilities, in the hope that vendors will be pushed to make changes with security in mind.