34 SCADA vulnerabilities revealed

It is safe to say that the existence of SCADA (supervisory control and data acquisition) systems was a fact unknown to many before the advent of the Stuxnet worm, and not many security researchers were interested in analyzing the code of the software that monitors and controls the hardware involved in industrial, infrastructure, or facility-based processes.

But things have changed. As industrial cyber espionage becomes an every-day occurrence and attacks on infrastructure or facilities critical to a country are practically expected, security experts have realized that research concerning that type of software might, after all, be rewarding.

Italian researcher Luigi Auriemma is one of those, and by his own admission, he wasn’t familiar with SCADA before starting an experiment that had him searching for vulnerabilities in a number of well-known server-side SCADA software: Siemens Tecnomatix FactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS, and DATAC RealWin.

He disclosed the vulnerabilities he found and the proof-of-concept code related to each of them on Monday on the Bugtraq mailing list.

“SCADA is a critical field but nobody really cares about it,” he revealed to The Register. “That’s also the reason why I have preferred to release these vulnerabilities under the full-disclosure philosophy.”

According to him, most of them can be leveraged to execute a remote code execution on SCADA software-run machines with an Internet connection. Others allow attackers access to stored data, and in one case, to even interfere with the hardware that uses the software in question.

Other security researchers have also been looking into SCADA software vulnerabilities. Gleg, a Russian security firm, offered quite recently an exploit pack for SCADA systems for sale. Called Agora SCADA+, the kit contains 22 modules that incorporate exploits for eleven zero-day vulnerabilities.