For Aaron Portnoy, vice president of research at Exodus Intelligence, Thanksgiving offered a chance to pile up a collection of supervisory control and data acquisition (SCADA) system vulnerabilities in addition to his mashed potatoes and cranberry sauce. The security researcher’s holiday bug hunt yielded 23 vulnerability discoveries, according to a blog post on the Exodus website.
Portnoy said he sought to complement other recent reports of SCADA system bugs in the hope that as many vulnerabilities could be disclosed to vendors as possible. Security in SCADA systems, which control a wide range of industrial and critical infrastructure facilities, has come under increased scrutiny since viruses such as Flame and Stuxnet prompted an uptick in vulnerability disclosures. A recent Positive Technologies study reported that 98 SCADA system vulnerabilities were found in the first eight months of 2012, compared to just 9 such bugs in the period from 2005 to early 2010.
The vulnerabilities Portnoy discovered included 13 denial-of-service (DoS) flaws, six remote execution flaws, three file vulnerabilities and an insecure third-party software installation in products from five different vendors. He found the first zero-day bug within seven minutes of installing the software, and he explained that finding copies of the SCADA software to test was more difficult than seeking out vulnerabilities.
“The most interesting thing about these bugs was how trivial they were to find … For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison,” he wrote.
Portnoy recommended that ICS-CERT, the government agency that works with SCADA vendors to ensure vulnerabilities are fixed, establish a repository of software for researchers to test, noting that he plans to do further analysis in the future.
Protecting against SCADA system bugs
Several analyses have noted that the SCADA security field is growing as awareness of threats targeting such systems increases. A recent Pike Research report forecast an annual growth rate of 6.4 percent in the market for control system security through 2020. As the situation currently stands, however, the best approach to improving the security of these embedded software systems may be strengthening the development process for new products.
“It’s just going to be a never-ending flow of vulnerabilities until you actually go in and redesign that code,” Dale Peterson, CEO of Digital Bond, told Dark Reading in a November 6 article.
Vendors can implement more secure coding practices such as using source code analysis to catch many potential software flaws and minimize the cybersecurity risk of a SCADA system exploit.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.