Feeds

Gas refineries at Defcon 1 as SCADA exploit goes wild

At least they should be

Internet Security Threat Report 2014

Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems just became more vulnerable to tampering or sabotage with the release of attack code that exploits a security flaw in a widely used piece of software.

The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.

The exploit was created by Kevin Finisterre, the director of penetration testing at security firm Netragard. He said he decided to release the code following conflicting statements by Citect about the severity of the flaw. As a result, he said, organizations that use CitectSCADA were confused about whether they were truly vulnerable.

"In reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action," Finisterre wrote in this paper published to the Milw0rm website. "In general, no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same."

At least partly responsible for the confusion is the theoretical reality that the bug should be of little consequence to organizations who take proper precautions with SCADA systems. A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.

Two of the more common means for gaining unauthorized control include wireless access points and internet-facing controls designed to save organizations money by allowing employees remote access, according to Core Security, which discovered the bug early this year.

To cut through the confusion, Finisterre provided a detailed description of the bug, which he described as a "classic stack-based buffer overflow." By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system.

The public exploit is just the latest chapter in a growing body of research revealing the risks of using SCADA systems. In May, Core warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down. That same month, US lawmakers lambasted the organization that oversees the North American electrical grid. A UK government minister sounded a similar alarm in that country last month.

Given the increased reliance of SCADA systems - and the confusion that frequently surrounds security advisories - Finisterre said it's crucial white-hat penetration testers have a full chest of tools at their disposal for detecting and fixing vulnerabilities in the systems.

"If you outlaw SCADA exploits, only outlaws will have SCADA exploits," he wrote. "Spread information and inform both yourself and others." ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.