Monday, November 8, 2010

SCADA security issues will be the shiny hot topic

Metasploit and SCADA Exploits: Dawn of a New Era?

On 18 October, 2010 a significant event occurred concerning threats to SCADA.

That event is the addition of a zero-day exploit for the RealFlex RealWin SCADA software product into the Metasploit repository.

Some striking facts about this event follow:

  1. This was a zero-day vulnerability that unfortunately was not reported publicly, to a organization like ICS-CERT or CERT/CC, or (afaik) to the RealFlex vendor.

  2. This exploit was not added to the public Exploit-DB site until 27 October, 2011.

  3. The existence of this exploit was not acknowledged with a ICS-CERT advisory until 1 November, 2010.

  4. This is the first SCADA exploit added to Metasploit.
Shawn Medinger at InfoSec Island shared some interesting thoughts:

First, the SCADA community can expect to see an explosion of vulnerabilities and accompanying exploits against SCADA devices in the near future.

Second, the diverse information sources that SCADA vulnerabilities may appear must be vigilantly monitored by numerous organizations and security researchers.

Afaik, the first widely-disseminated information on the RealFlex RealWinbuffer overflow occurred on 1 November, when I sent the information to the SCADASEC mailing list.

Third, people should recognize that the recent Stuxnet threat has cast a light on SCADA security issues. Put bluntly, there is blood in the water.

Quite a few people, companies and other organizations are currently investigating SCADA product security, buying equipment and conducting security testing for a number of differing interests and objectives.

Fourth, understand that because of the current broken business model, security researchers are often frustrated by software vendors’ action, or inaction, when it comes to reporting vulnerabilities.

Often, there is no security point-of-contact at the vendor. Even worse, the technical support who are contacted by the security researcher often do not understand the technical and security implications of the issue reported.

Even in the case of specialty SCADA security shops reporting vulnerabilites to the vendor, we are seeing documented cases of “vendor spin” furthering the bad blood between vendors and ethical research.

All of these factors lead to frustrated security researchers, some of whom will simply expose the vulnerability and exploit to the world, rather than take a disclosure path through a CERT.

Fifth, folks should recognize that attack frameworks like Metasploit enable a never-before-seen level of integration of these kinds of targeted critical infrastructure-relate exploits into a powerful tool.

No comments: