Feeds

Gas refineries at Defcon 1 as SCADA exploit goes wild

At least they should be

Protecting against web application threats using SSL

Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems just became more vulnerable to tampering or sabotage with the release of attack code that exploits a security flaw in a widely used piece of software.

The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.

The exploit was created by Kevin Finisterre, the director of penetration testing at security firm Netragard. He said he decided to release the code following conflicting statements by Citect about the severity of the flaw. As a result, he said, organizations that use CitectSCADA were confused about whether they were truly vulnerable.

"In reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action," Finisterre wrote in this paper published to the Milw0rm website. "In general, no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same."

At least partly responsible for the confusion is the theoretical reality that the bug should be of little consequence to organizations who take proper precautions with SCADA systems. A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.

Two of the more common means for gaining unauthorized control include wireless access points and internet-facing controls designed to save organizations money by allowing employees remote access, according to Core Security, which discovered the bug early this year.

To cut through the confusion, Finisterre provided a detailed description of the bug, which he described as a "classic stack-based buffer overflow." By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system.

The public exploit is just the latest chapter in a growing body of research revealing the risks of using SCADA systems. In May, Core warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down. That same month, US lawmakers lambasted the organization that oversees the North American electrical grid. A UK government minister sounded a similar alarm in that country last month.

Given the increased reliance of SCADA systems - and the confusion that frequently surrounds security advisories - Finisterre said it's crucial white-hat penetration testers have a full chest of tools at their disposal for detecting and fixing vulnerabilities in the systems.

"If you outlaw SCADA exploits, only outlaws will have SCADA exploits," he wrote. "Spread information and inform both yourself and others." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.