Critical Infrastructure Security, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Attack code released for SCADA software vulnerability

Updated on Monday, Sept. 8 at 5:16 p.m. EST

Security researcher Kevin Finisterre has created an exploit that takes advantage of a serious vulnerability reported earlier this summer in widely deployed industrial process control software.

The bug in CitectSCADA, which was patched in early June after being discovered by Core Security Technologies, is a traditional stack-based buffer overflow. It could grant an attacker access over supervisory control and data acquisition (SCADA) software that controls industrial processes, including oil and gas pipelines, chemical plants, assembly lines and power grids.

"I honestly feel that the flaw has the potential to be very critical," Finisterre, who works for security firm Netragard, said in an email Monday to "That is the main reason for my secondary disclosure. I don't think this bug got the proper exposure the first time around."

He said Citect, whose U.S. headquarters is in Georgia, downplayed the severity of the flaw.

But Kurt Lovell, vice president of Citect Americas, told on Monday that the company advises its customers to take every security matter seriously.

"With respect to our install base, [Finisterre is] making it significantly easier for someone who wanted to do harm to try to do harm," Lovell said. "That said, we're not particularly concerned because we have already worked aggressively with our install base to make sure they're protected."

At the time of the vulnerability, experts said they expected similar bugs to arise in the near future.

"The recent discovery of a critical SCADA system vulnerability is another classic example of the inherent risks and vulnerabilities that exist within the industrial control system and SCADA environment," said Brian Ahern, president and CEO of Industrial Defender, provider of industrial control system security solutions.

"The reality is that these systems were never designed for cybersecurity in mind and today they are being openly connected to the outside world even though many vendors are advising against this level of connectivity," Ahern added. "As a result of the need for real-time business information, it is becoming increasingly popular for the plant network to connect with enterprise networks and the open internet."

Lovell said Citect's customers are responding to SCADA's evolution by implementing security protocols.

"They aren't blindly ignoring the security risks as interconnectivity welcomed the world," he said.

Finisterre said he leveraged the Metasploit hacker framework to create the exploit.

"I essentially took the general information that was available at the time and gazed into my debugger for many hours trying to understand how things worked," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.