Login / Signup

Disclosed the unpatched vulnerabilities of six commercial SCADA systems

  • user warning: Table './devemc/sessions' is marked as crashed and last (automatic?) repair failed query: SELECT COUNT(sid) AS count FROM sessions WHERE timestamp >= 1418995549 AND uid = 0 in /home/devemc/public_html/dev/includes/session.inc on line 157.
  • user warning: Table './devemc/sessions' is marked as crashed and last (automatic?) repair failed query: SELECT COUNT(DISTINCT s.uid) FROM sessions s WHERE s.timestamp >= 1418995549 AND s.uid > 0 in /home/devemc/public_html/dev/modules/user/user.module on line 790.

An Italian researcher in the field of computer security, Luigi Auriemma, has disclosed a list of bugs, not yet corrected, regarding six commercial SCADA systems. The control systems adopted by major industrial companies are vulnerable and subject to attacks from hackers?

What is a SCADA

Perhaps among the readers there is someone who does not know exactly what a SCADA is, and what is its importance in the field of industrial automation and control systems. Let us briefly see some basic concepts.
The term SCADA is an acronym for Supervisory Control And Data Acquisition, and the name itself sums up very well the three main features common to every system of this type:

  1. acquisition - this function refers to the acquisition (by means of sensors placed at appropriate points in the system) of physical quantities useful for the control and the supervision of the system, and their conversion, if necessary, in digital format. In an industrial furnace, for example, it may be convenient to have the measure of the temperature (in one or more points), the state of door opening/closing, and so on.
  2. control - in addition to sensors, used to accomplish the acquisition of the measures, an industrial control system must also have some actuators (pumps, motors, valves, etc..) which, acting appropriately on that system, are able to control it, that is modify its operation so as to follow a well-established law. Also in the case of the oven, the actuators could act on the heat production system so as to disable it when the temperature reaches a certain value, or turn on the fans to evenly distribute the heat in the oven
  3. supervision - this feature allows you to visually monitor, through the so-called synoptic tables (now replaced by computer monitors), the state of the system, alarms and warnings, and so on. Today even a single person can adequately supervise a complex industrial system, and it is also possible to perform remote monitoring (through a remote connection)

There are numerous applications of SCADA systems. These include manufacturing systems, industrial plants for energy production (power plants and nuclear plants, for example), chemical plants, refineries, water treatment plants, and so on.
The following image (taken from Wikipedia) shows a typical example of SCADA application.
First of all we have a tank that can be filled by the action carried out by an electric pump (E-1), and a flow sensor that measures the flow with which the tank is filled (F-1). The PLC PLC-1 compares the measured flow with the required one, and acts accordingly on the pump to make them equal. On the tank are present a level sensor (L), and a valve V-2, both controlled by PLC-2, which acts on V-2 so that the level assumes the desired value. In this context, the SCADA, in addition to the acquisition and supervision capabilities, performs a control activity in order to set the appropriate set-points on the two PLCs (flow for PLC-1 and level for PLC-2).

The latest generation of SCADA systems are characterized by an increased level of distribution and networking. This is due to the prevalence of network protocols, such as the various standards contained in the Ethernet "hat", as well as functionality and remote available from the Internet world. The downside is that every device on the network is by itself potentially vulnerable, and subject to possible attacks by hackers or other ill-intentioned persons.
This vulnerability was highlighted and demonstrated by an Italian researcher. Let's look in more detail what he discovered.

Vulnerability of SCADA

Luigi Auriemma has revealed on its website a detailed list of defects (bugs in computer terminology), not yet corrected at the time, affecting six commercial SCADA systems, including the U.S. giant of automation, that is Rockwell Automation. For each bug is given a detailed description of the defect, and the steps needed to provoke/reproduce it. This point is crucial, because through this information developers who are in charge of the specific software product (or who is in charge of the resolution of defects) can make the necessary changes and solve the problem. Some of the affected SCADA systems are currently used in plants for energy production, for the treatment of water (including drinking water), waste disposal, and agriculture.
It rises at this point a fair question: and if this information was used by hackers or malicious, the main industrial control systems could be compromised?. It must in fact be noted that the defects identified by the researcher, capable of undermining the vulnerability of the concerned SCADA systems, may allow attacks conducted through remote connections, leaving the door open to DoS (Denial of Service) attacks or even to crash certain applications.
Whether it is right or not disclose this information is a controversial topic, on which each of us has their own opinion. Let's see what is the view of a part of the world of computer security, and what is the opinion of the Italian researcher.
The most widespread opinion expressed by the field of computer security (especially from companies that operate there), is not to be satisfied with the disclosure of such information, indicated as 0-day disclosure. This term refers to the immediate release of information relating to a software defect or malfunction before it is available its correction (patch). According to this view, in fact, customers (those people and organizations using the incriminated products) are exposed to attacks, without having available the appropriate fix, and these attacks may be of interest to various types of industrial equipment and systems such as elevators, production systems energy, and so on.

Luigi Auriemma, as he himself says on his website, likes the dissemination of information, and tries to make it available to others, sharing it, everything that has found useful. He also says he has a particular predilection for computers and for software bugs (but only because it's the best thing he can do right now). Regarding the process of identifying and reporting bugs, Luigi has developed a real policy which he adopted until 2008, then he changed it. Once a bug has been found, the first step consists in its "disclosure", that is in its revelation. The next step is to contact the vendor of the software product, or directly the developers in charge of the same. This step, however, starting from 2008, is performed at the discretion of the investigator (so, in some cases Auriemma decides only to publish the "responsible disclosure").
What is Auriemma's opinion on this issue?
We can find out it by reading his own words:

"And remember that I find bugs, I don't create them, the developers are the only people who create bugs (indirectly naturally) so they are ever the only responsible."
And he also adds:
"As everything in the world is not possible to control the usage of what we create (like the producers of knives just to make an example comprehensible by anyone) so for me is only important that my research has been useful or interesting."

Link to the news on Slashdot

Who's online

There are currently users and guests online.

Recent comments