Troubling Findings on SCADA Security

A trio of security firms have found worrisome vulnerabilities in supervisory control and data acquisition (SCADA) systems that are used to run utilities. The concern is both the number of problems and what experts say is the ease with which they can be exploited.

Recently, according to The H Security, ReVuln posted a video describing zero-day vulnerabilities in SCADA systems from companies including General Electric, Schneider Electric and Eaton. The story hints at the problems, but said ReVuln does not go into detail:

According to ReVuln, the vulnerabilities allow remote code execution, remote shells access and session hijacking on the PCs that form the foundation of the SCADA installations. If the claim is correct, attackers would have the ability to completely take over these systems since many of the control computers are inadvertently accessible over the internet due to their configurations. So far, ReVuln’s claims have not been backed by independent security experts.

The second piece of research came from Exodus Intelligence. There is a connection between the two: Executive Vice President of Research Aaron Portnoy said that he got curious after seeing news of the ReVuln work. He found much the same thing:

“The most interesting thing about these bugs was how trivial they were to find,” he wrote in the blog post. “For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself.”

The third piece of research that has come to light during the past few weeks appears not to be connected to ReVuln or Exodus. Dark Reading reports that Positive Technologies Security found that 64 vulnerabilities were reported in SCADA systems during 2011. In the preceding six years, a total of nine were uncovered. The increase is not slowing: The firm said that 98 bugs were reported between January and August of 2012.

Experts credit the Stuxnet virus — which was developed by the U.S. and Israel to gum up the Iranian nuclear program — for inspiring all the bad folks. The problem is intensified by the fact that utilities made the mistake a decade ago of mixing their management networks with those that actually run the systems. The advent of the Internet meant that all of the utilities were linked. Thus, a piece of malware has a radically better chance of causing problems than if the infrastructure had been designed more prudently.

The bottom line is that bad design, carelessness and smart malware distributors makes this a particularly dangerous situation.