Researchers showcased unpatched security flaws in software used to control critical industrial systems by oil, gas, water and electrical distribution plants at the 2012 SCADA Security Scientific Symposium (S4) last week.
The vulnerabilities ranged from information disclosure and privilege escalation bugs to remote denial-of-service (DoS) and arbitrary code execution flaws.
The research team, which included Reid Wightman, Dillon Beresford, Jacob Kitchel, Rubén Santamarta and two other researchers who chose to remain anonymous, worked as part of a project called Basecamp that was sponsored by industrial control systems (ICS) security firm Digital Bond.
The tested products were Control Microsystems' SCADAPack, the General Electric D20ME, the Koyo / Direct LOGIC H4-ES, Rockwell Automation's ControlLogix and MicroLogix, the Schneider Electric Modicon Quantum and Schweitzer's SEL-2032.
The affected vendors were not notified in advance about the discovered vulnerabilities and the proof-of-concept exploits showcased at S4 are being integrated into the popular Metasploit penetration testing framework.
"We are hoping that Project Basecamp will be a Firesheep moment for PLCs [programmable logic controllers]," said Reid Wightman, a Digital Bond security consultant and Basecamp project lead.
The Firesheep extension for Firefox, which can hijacking people's online accounts when they use open wireless networks, is credited with pushing major online service providers like Google, Facebook, Twitter and Hotmail to add support for persistent HTTPS connections.
Project Basecamp hopes to trigger a similar reaction from SCADA (supervisory control and data acquisition) software developers, whose products have largely been overlooked by the security research community until the Stuxnet industrial sabotage worm emerged in 2010.
Stuxnet, which is considered by many the most sophisticated malware of all times, exploited flaws in SCADA software from SIemens in order to inject malicious code in PLCs used to control uranium enrichment centrifuges at Iran's Natanz nuclear facility.
"For a long time this kind of software [SCADA] has been 'under the radar', living a quiet existence," said Rubén Santamarta, one of the Project Basecamp contributors. "But lately some researchers have been busy targeting ICS products and as a consequence dozens of vulnerabilities emerged in a relatively short time window."
"It has been a 'shock' for the industrial sector, I'm not sure whether they were really prepared to deal with that scenario," Santamarta said. "As a note, we should realise that probably their customers were not asking for security either."
Many of the security problems uncovered by Project Basecamp stem from design flaws and a lot of SCADA products have undocumented features that can be abused for malicious purposes.
"It's not rare to see an industrial software that uses hardcoded accounts or services that look almost like backdoors," said Luigi Auriemma, an independent security researcher who identified and reported SCADA vulnerabilities before. When these features are found, most of the time the only solution is to remove them, he said.
Auriemma believes that the public disclosure of unpatched vulnerabilities, known as zero days, coupled with the activity of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), has had a positive effect on vendors and pushed them to address some of the problems.
However, a more proactive approach like taking security into consideration when designing these SCADA products in the first place, is needed. "It will take time but I strongly believe that security will be seen as a fundamental key as well as an added value for any industrial device in the near future," Santamarta said.
ICS-CERT has already published advisories for many vulnerabilities disclosed by Project Basecamp, and Digital Bond has worked with Tenable to create detection plugins for the Nessus vulnerability scanner.