Experts speak of a critically low safety of industrial IT systems
Editor’s Note: Translation courtesy of CRE.
Experts in IT security say that vulnerabilities in industrial complexes to control the equipment continues to be one of the weakest links in the security industry. Among Exodus Intelligence said that as part of their latest research specialists have found more than two dozen new vulnerabilities in the currently used SCADA-systems from different manufacturers. Today in Exodus say they will not provide specific information, as almost any of the problems manufacturers are not eliminated.
Aaron Portnoy, Vice President of Exodus, said the vulnerabilities were discovered in SCADA-systems manufacturers, such as Rockwell Automation and Schneider Electric, Indusoft, Realflex and Eaton. All products manufactured by these companies now are used to manage critical areas, production facilities and other industrial complexes.
Two weeks earlier, the company ReVuln also reported to have discovered vulnerabilities in software companies General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. However, ReVuln also provided data on the identified vulnerabilities, saying that now check the data. The company sells about ReVuln identify vulnerable customers on a subscription.
“I decided to investigate the SCADA-system after he read the article and decided it was too dangerous to sell data about the vulnerabilities of this kind, as they relate to the protection of critical infrastructure,” – says Portnoy.
Among ReVuln say the sales system vulnerability information – this is a common model, which is not new to the research community and software vendors. At the same time, independent experts have repeatedly criticized the practice. For example, recently addressed the French company Vupen heard accusations that it sells vulnerability information to government authorities NATO, rather than transferring data to producers of software.
In Exodus say they identified seven vulnerabilities that allow remote execution of code from remote sites, and 14, resulting in DoS-attacks on SCADA. Some of the vulnerabilities allow the ability to upload, download and delete files from a vulnerable target systems. “We can say that the most surprising in identifying bugs in the systems was that they found was surprisingly easy. First zero-day vulnerability has been found in seven minutes of analysis. For those who spend a lot of time auditing SCADA-systems, it is obvious that identify the problem here many times easier than in conventional software enterprise “- says Portnoy.
According to him, now the world’s SCADA products has developed a weird situation: get the software itself is more difficult than actually finding the bugs in it.
“To get the software I used a variety of methods. Some programs have trial versions, while others had to hunt for FTP-archives, others get through other channels. I tried to get the latest versions of the products,” – he said.
Taylor said that as ReVuln, his company sells data about the vulnerabilities by subscription, but the service itself Exodus oriented companies wanting to protect themselves from potential attacks, as simultaneously with the identification of the problem data it sent to the manufacturer. “All of our customers have also signed non-disclosure agreement regarding the information obtained to ensure that the information remains with the dangerous limited number of recipients,” – says Portnoy.
Similarly, business deals and company Secunia, and its requirements to disclose even tougher.