Critical Infrastructure Security, Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

CTO defends researcher’s decision to reveal SCADA exploit

The chief technology officer of a security firm is standing behind the decision by one of his researchers to release exploit code for a SCADA vulnerability, despite a mountain of criticism being lobbied against them.

Researcher Kevin Finisterre recently released attack code that takes advantage of a stack-based buffer overflow bug in Supervisory Control and Data Acquisition (SCADA) software. The vulnerability was announced in early June by its discoverer, Core Security Technologies, and the affected software's manufacturer, Georgia-based Citect, has since delivered patches to affected customers.

No breaches have been reported, according to a Citect statement.

Finisterre said he decided to create the exploit because he believed the initial disclosure did not receive enough exposure. But because the code is designed to infiltrate industrial control systems, responsible for running some of the nation's most critical infrastructure -- such as oil and gas pipelines and the electric grid -- Finisterre and his company, Netragard, caught some heat.

CTO Adriel Desautels told on Friday that he and Finisterre received 12 to 18 emails from people questioning why the exploit, developed through the publicly available Metasploit framework, was released in the first place.

Desautels said he stands by the decision.

First the exploit will motivate people to patch by giving them a way to test their systems against the vulnerability, he said. Second, it will encourage SCADA software developers to write more secure code.

"I think releasing the exploit code was actually necessary," he said. "He's actually doing a free service. I would believe Kevin has actually reduced risk."

In addition, the exploit becomes less valuable to hackers now that it is publicly known, Desautels said.

He added that if researchers such as Finisterre are denounced for disclosures such as this, they will be less inclined to "do the right thing" because they don't want to be "portrayed as the bad guy."

But Rich Mogull, founder of independent consultancy Securosis, told that researchers often must show restraint in revealing exploits, especially when they are inherent to SCADA.

"If you told me you're releasing an exploit tool a couple of months after an IE patch comes out, I wouldn't say the same thing," Mogull said. "SCADA guys do not update their stuff. There are huge problems in SCADA. I cannot overemphasize...the disconnect we see between the SCADA community and the security community."

Desautels said that while he does not always agree with releasing exploits, it was fine in this case.

"Citect knew about this vulnerability for many months and had released patches," he said.

Mogull said the obligation to encourage users to patch and developers to build secure software does not fall on researchers.

"You're not screwing with some corporate IT department," he said of the exploit. "You let someone take over the wrong part of a SCADA system, and you bring down power."

The North American Reliability Corp. (NERC), for one, is undertaking a slew of initiatives to improve its response to critical infrastructure protection. NERC, responsible for overseeing the power system in North America, recently appointed its first-ever chief security officer and is establishing a task force to review its process for setting cybersecurity standards.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.