Feeds

Gas refineries at Defcon 1 as SCADA exploit goes wild

At least they should be

Top 5 reasons to deploy VMware with Tegile

Gasoline refineries, manufacturing plants and other critical facilities that rely on computerized control systems just became more vulnerable to tampering or sabotage with the release of attack code that exploits a security flaw in a widely used piece of software.

The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.

The exploit was created by Kevin Finisterre, the director of penetration testing at security firm Netragard. He said he decided to release the code following conflicting statements by Citect about the severity of the flaw. As a result, he said, organizations that use CitectSCADA were confused about whether they were truly vulnerable.

"In reality, I would be willing to wager a small fortune that most of the folks that received the Citect advisory were not inspired to take immediate action," Finisterre wrote in this paper published to the Milw0rm website. "In general, no one should be more knowledgeable about a software product than the vendor, so if the vendor pulls an Alfred E. Newman and says 'What, me worry?' you can rest assured the userbase will do the same."

At least partly responsible for the confusion is the theoretical reality that the bug should be of little consequence to organizations who take proper precautions with SCADA systems. A core tenet among system administrators of such systems is that remote terminal units and other critical industrial controls should never be exposed to the internet. In reality, however, there are frequently numerous ways unauthorized people can gain access to those controls.

Two of the more common means for gaining unauthorized control include wireless access points and internet-facing controls designed to save organizations money by allowing employees remote access, according to Core Security, which discovered the bug early this year.

To cut through the confusion, Finisterre provided a detailed description of the bug, which he described as a "classic stack-based buffer overflow." By default, a server component of CitectSCADA known as ODBC, or Open Database Connectivity, monitors TCP/IP networks for client requests. Attackers can gain control by modifying the size of the packets sent to the system.

The public exploit is just the latest chapter in a growing body of research revealing the risks of using SCADA systems. In May, Core warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down. That same month, US lawmakers lambasted the organization that oversees the North American electrical grid. A UK government minister sounded a similar alarm in that country last month.

Given the increased reliance of SCADA systems - and the confusion that frequently surrounds security advisories - Finisterre said it's crucial white-hat penetration testers have a full chest of tools at their disposal for detecting and fixing vulnerabilities in the systems.

"If you outlaw SCADA exploits, only outlaws will have SCADA exploits," he wrote. "Spread information and inform both yourself and others." ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.