New zero-day Scada flaws raise spectre of Stuxnet

The inherent security flaws in industrial systems were exposed again last week after an Italian researcher published a list of zero-day vulnerabilities in several manufacturers' supervisory control and data acquisition (Scada) products.

Scada systems play a vital role by monitoring and controling industrial processes in a range of sectors from manufacturing to energy to water.

The security weaknesses in such systems were first exposed in a high-profile way by the Stuxnet worm, which is believed to have been designed specifically to disrupt Iranian nuclear facilities.

Since then, the security of Scada systems has frequently come under the spotlight.

A study from Q1 Labs published in April found that over 75 per cent of global energy companies have suffered at least one data breach over the past 12 months, and that two-thirds hed been exposed to an attack because of out of date Scada equipment.

Italian researcher Luigi Auriemma has now unveiled 13 flaws in products from vendors including Rockwell Automation, Cogent Datahub, Azeotech and Progea.

The problems range from heap and stack overflow to denial-of-service vulnerabilities, most of which allow the hacker to carry out an attack remotely.

The release prompted US-CERT to publish its own advisories for operators of the affected products.

As ever, the security organisation's advice for mitigating the risks involves minimising network exposure by putting devices behind a firewall and isolated from the business network.

"If remote access is required, employ secure methods such as virtual private networks," US-CERT added.

Back in March, Auriemma unveiled details of 34 Scada vulnerabilities which, although not on the same scale, showed that the days of security by obscurity in the Scada market are very much behind us.