SCADA software is a bug trap

Stefan Mileschin · 28th November 2012, 08:36

SCADA software has more bugs in it than Casu marzu cheese, according to Italian insecurity experts.

Researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric.

Other researchers at Exodus Intelligence have followed suit and found more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work.

SCADA software is rather important. It is used to run systems at utilities, manufacturing plants and other critical points.

It has also been a key target for security researchers as well as hackers.

There have been few documented attacks against SCADA installations enterprise software, but those which have happened have created a real mess.

The most well-known example was the Stuxnet worm, which targeted Siemens software installed at the Natanz enrichment facility in Iran.

Terry McCorkle told Threatpost that the operating system was stuck in the 1990s. SDL doesn't exist in Industry Control System (ICS) software. There are a lot of ActiveX and file format bugs and he didn't even bother looking at problems with services.

He said that the state of ICS security is kind of laughable.

Exodus Intelligence expert Aaron Portnoy, who had a bit of time on his hands waiting for his Thanksgiving turkey to cook, spent a couple of hours looking for bugs in SCADA applications.

He said he found more than 20, several of which are remote code-execution vulnerabilities.

Portnoy said that the most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere seven minutes to discover from the time the software was installed.

He said that the most difficult part of finding SCADA vulnerabilities seems to be locating the software. Apparently finding the software on a system was more difficult than finding the bugs themselves.

Portnoy had no experience of SCADA apps and based his search on the video posted by ReVuln.

http://news.techeye.net/security/sca...-is-a-bug-trap

28th November 2012, 08:36	#1
Stefan Mileschin [M] Reviewer Join Date: May 2010 Location: Romania Posts: 148,500	SCADA software is a bug trap SCADA software has more bugs in it than Casu marzu cheese, according to Italian insecurity experts. Researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. Other researchers at Exodus Intelligence have followed suit and found more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work. SCADA software is rather important. It is used to run systems at utilities, manufacturing plants and other critical points. It has also been a key target for security researchers as well as hackers. There have been few documented attacks against SCADA installations enterprise software, but those which have happened have created a real mess. The most well-known example was the Stuxnet worm, which targeted Siemens software installed at the Natanz enrichment facility in Iran. Terry McCorkle told Threatpost that the operating system was stuck in the 1990s. SDL doesn't exist in Industry Control System (ICS) software. There are a lot of ActiveX and file format bugs and he didn't even bother looking at problems with services. He said that the state of ICS security is kind of laughable. Exodus Intelligence expert Aaron Portnoy, who had a bit of time on his hands waiting for his Thanksgiving turkey to cook, spent a couple of hours looking for bugs in SCADA applications. He said he found more than 20, several of which are remote code-execution vulnerabilities. Portnoy said that the most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere seven minutes to discover from the time the software was installed. He said that the most difficult part of finding SCADA vulnerabilities seems to be locating the software. Apparently finding the software on a system was more difficult than finding the bugs themselves. Portnoy had no experience of SCADA apps and based his search on the video posted by ReVuln. http://news.techeye.net/security/sca...-is-a-bug-trap

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PVR recording software?	mentalcrisis00	General Madness - System Building Advice	2	29th September 2007 17:08
What's Different About Multiprocessor Software?	jmke	WebNews	1	24th April 2007 09:51
When is a Software Engineer Not a Software Engineer?	Sidney	WebNews	0	15th November 2004 06:25
old hw- no new software	koensa	General Madness - System Building Advice	10	30th August 2004 11:54
Best backup software ?	bambix	Hardware/Software Problems, Bugs	4	27th September 2003 15:47
naamkaart software	DJ-EviL	Hardware/Software Problems, Bugs	0	4th December 2002 16:43
Divx software	GORGH	Hardware/Software Problems, Bugs	4	11th June 2002 10:46