Talk to Me: SCADA Vulnerabilities: Pros and Cons

Tuesday, March 29, 2011 @ 06:03 PM gHale

By Gregory Hale
When you really think about it, typical college students lead a charmed life. They wake up in the morning, go to class, debate issues based on theory, go back to their dorm rooms, have dinner, do some homework and maybe go to the local watering hole for a few pitchers with the gang.

They live in a protective bubble. Pressure? Yes, of course there is. They need to do well in school to make sure they can get a good job, to help support themselves and be a productive member of society. But, let’s face it, real pressure? No one is going to get blown up if they do poorly on a test. No one will lose millions of dollars if they skip a few homework assignments.

Some may call it the school of hard knocks. Students learn they have to do well on all tests, not just some of them. They also learn they have to do homework and hand it in, or it will end up hurting them. The smart ones learn from those experiences and move on to successful college careers and beyond when they go out into the real world.

This past week, SCADA companies graduated into the real world. Yes, they have always worked hard at getting their systems just right for their customers. But was security part of the discussion or just an afterthought?

Just a few short days ago, Italian security specialist Luigi Auriemma, who mainly focuses on detecting holes in games and media players, released a list of 34 vulnerabilities in SCADA products from four different firms. The list consists of some major players: Siemens Tecnomatix (FactoryLink), ICONICS (Genesis 32 and 64), 7-Technologies (IGSS) and DATAC (RealWin).

Then another list of vulnerabilities comes out. Name players: Atvise SCADA; Control Microsystems ClearScada; DataRate SCADA WebControl and RuntimeHost; Indusoft SCADA Webstudio; ITS scada; Automated Solutions Modbus/TCP OPC Server; BACnet OPC client Advantech Studio Web server; BroadWin WebAccess (also sold as Advantech); Ecava IntegraXor.

These vulnerabilities don’t have the shock value Stuxnet brought, but make no mistake they truly point out industrial control systems are vulnerable, and they can easily fall prey to an attack. In reality, revealing these vulnerabilities may be more important to the industry because everyone now knows they are out there and primed.

Stuxnet pointed its sights directly at the Iranian nuclear program. Very targeted and effective.

These vulnerabilities are ripe for anyone to get in.

It is time to look at the positives here. Yes, these companies are most likely panic-stricken trying to get patches up and running, but at least they know about the vulnerabilities and, to date, there have been no known attacks.

This may also be another salvo to open the door for manufacturing automation companies to insist on thinking security first? Safety, yes. Security, yes. Both have to go hand in hand, or else you are living on borrowed time. That may sound a bit melodramatic, but look at what could happen. Can your company sustain an all-out Cyber assault?

In many ways Stuxnet was so targeted manufacturers could be lulled into thinking “They were after the bad guys and who would want to go after little old me?”

Wrong. This should be a wake-up call to ensure users get a solid security plan in place – and then make sure everyone is aware of it. An attacker can tap into these vulnerabilities at any time.

Charmed life? SCADA providers are now looking at the cold, hard facts of cyber security reality.

Talk to me: ghale@isssource.com.