Scada bugs make security a turkey shoot for hackers

A security researcher has lambasted Scada appliance vendors over what he says is extremely weak security in the industrial software platforms.

Aaron Portnoy, vice president of research for security firm Exodus Intelligence, said that finding flaws in platform was extremely easy and likened attacking Scada appliances with zero-day flaws to hunting a "small flightless bird".

Portnoy's bird comparison struck him while celebrating the Thanksgiving holiday. The researcher said that while preparing the meal, he took a look into the protections built into many Scada appliances.

"On Thanksgiving day I had a morning’s worth of time to wait for a turkey to cook," he explained, "so I decided to take a shot at finding as many Scada zero-day vulnerabilities as possible."

Over the course of the day, Portnoy said that he was able to uncover some 23 vulnerabilities. The flaws included eight remote code execution bugs, 13 denial of service flaws and several other bugs for arbitrary file downloads and flaws which could be used to launch other vulnerable applications.

The report could cast further doubt on an already tenuous security picture for Scada appliances and other industrial systems. Researchers have long warned that as infrastructure systems are brought online, systems which had not been designed with security in mind would be highly vulnerable.

Attacking such systems could allow third parties to cripple infrastructure networks, potentially leading to power and utility outages.

Portnoy noted that performing such attacks could prove even easier than previously believed, due to the prevalence of software flaws.

"The most interesting thing about these bugs was how trivial they were to find. The first exploitable zero-day took a mere seven minutes to discover from the time the software was installed," Portnoy said.

"For someone who has spent a lot of time auditing software used in the enterprise and consumer space, Scada was absurdly simple in comparison."

The help improve the security of industrial systems, Portnoy is hoping to open lines of communication with ICS-Cert to gain access to industrial control software and provide vendors with better audits and assessments of possible security vulnerabilities.

The most imfamous example of an attack on a Scada system to date has been the Stuxnet worm, which is widely believed to have been created by state-sponsored malware writers,