Wind turbines could be vulnerable to outside attacks in the wake of the discovery of a cross-site scripting flaw in a common supervisory control and data acquisition/human-machine interface used in the wind energy sector. The flaw is remotely exploitable, and vulnerable deployments of the software are publicly searchable on the Shodan search engine. The vulnerability is the latest threat amid ongoing concerns over cybersecurity and SCADA systems.
The XSS vulnerability affects the Nordex Control 2 application, which is used with all Nordex wind turbine generators to monitor and manage turbine production. The issue was first discovered and disclosed by independent researcher Darius Freamon on his blog. The Industrial Control Systems Cyber Emergency Response Team recently acknowledged the flaw and issued an alert "to provide early notice of the public report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks." Using the vulnerability, an attacker can create a specially crafted request that executes arbitrary code in a user's browser.
"This flaw exists because the application does not validate the 'userName' parameter upon submission to the /login script," a separate advisory on open source vulnerability database website OSVDB.com explained.
Freamon's report, published in October, included a proof of concept. No fix has yet been offered. Cybersecurity experts have been issuing warnings for the past few years about the danger of SCADA system vulnerabilities, which could give hackers access to key infrastructure such as power plants. To avoid such issues, software manufacturers can benefit from using tools like static analysis software to scan for and catch errors during development. By focusing on improving the security for software around products such as wind turbines, vendors reduce the possibility of poor coding being at the heart of a cybersecurity incident.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.