14 DAY TRIAL // The wave of vulnerabilities disclosed in SCADA software continued this week with another public disclosure and an advisory about a patched flaw.
Supervisory control and data acquisition (SCADA) software is responsible for monitoring and controlling equipment in industrial facilities, including oil and gas refineries, power and water processing plants, factories, etc.
So far SCADA software has been rather obscure security-wise, however, experts argued for the past couple of years that more attention should be given to it due to its critical role.
Attacks against SCADA software moved from theoretical to practical last year with the discovery of Stuxnet, a highly sophisticated industrial espionage malware whose purpose was to destroy uranium enrichment centrifuges at the Iran's Natanz nuclear plant.
This development appears to have motivated some security researchers to probe this type of software and some of them have opted for full public disclosure in order to raise awareness.
Earlier this week Italian security researcher Luigi Auriemma published complete details about 34 vulnerabilities in four SCADA products together with proof-of-concept exploit code.
Following his disclosure, independent researcher Rubén Santamarta released an exploit for a remote code execution vulnerability affecting a Web-based SCADA product called BroadWin WebAccess.
His decision to go public was the result of the vendor denying the existence of a problem. "I contacted ICS-CERT [Industrial Control Systems Cyber Emergency Response Team] to coordinate with Advantech but the vendor denied having a security flaw. So guys, the exploit I'm releasing does not exist. All is product of your mind," the researcher says ironically.
A day later, ICS-CERT published another advisory [PDF] about a SCADA vulnerability discovered by security researcher Dan Rosenberg from Virtual Security Research (VSR). Fortunately, in this case the vendor responded positively and a patch is available.