By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services
SCADA – supervisory control and data acquisition – software has been taking a lot of hits lately. After last year’s Stuxnet threat, which targeted specific Siemens software, it was, according to some, inevitable that vulnerabilities were revealed in SCADA software, which is used in refineries, gas pipelines, manufacturing, and other critical operations. In fact, we asked that very question last July in our post whether there could be a hack into our infrastructure.
We still believe that it is absolutely possible, particularly given that SCADA software has traditionally been isolated from the Internet but is in transition to an environment in which it could be accessed through the Internet.
Recently, the Moscow-based security firm, Gleg, released its own software — dubbed “Agora_ SCADA Exploit Pack for CANVAS,” that targets 11 zero-day, or unpatched, SCADA holes. And, on its heels, the U.S. DHS National Cyber Security Division’s Control Systems Security Program (CSSP) issued four warnings that SCADA systems are at-risk for the exploitation of common bugs, including exploit stack, heap and integer overflows, as well as perform arbitrary command executions and memory corruptions, among other vulnerabilities.
According to the CSSP, at-risk are Siemens TecnomatixFactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS (Interactive Graphical SCADA System) and DATAC RealWin products to the BugTraq security e-mail list. These vulnerabilities were exposed by Italian researcher Luigi Auriemma, who said his motivation for hacking the systems was “to educate the research community and alert software makers to problems with their products.”
SCADA software is in transition from a legacy environment that was isolated from the Internet. During the years it will take the plants that run our country’s critical infrastructure to upgrade to a more modern version, it will serve them well to heed the CSSP warnings and to find ways to keep their control systems secure.