Researchers expose security holes in SCADA systems

Manufacturing plants and critical infrastructure facilities may have received a rude awakening last week when researchers released exploit modules after finding major security flaws in industrial control systems, reports Kim Zetter at Wired. Armed with the modules, hackers may have been able to attack the systems before organizations had a chance to patch them or shut them down.

The flaws were discovered in programmable logic controllers (PLCs) built by five manufacturers, including General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering. The devices control functions on assembly lines and in utilities like water, power and nuclear plants. The security holes include backdoors, no encryption and authentication and poor password storage.

The researchers, led by SCADA security firm Digital Bond, said they publicized the exploit modules, which they released with help from Rapid7, to demonstrate the vulnerability of the systems.

"We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results," said Dale Peterson, founder of Digital Bond.

Peterson said he hoped the news of the security flaws and the release of the exploits would spur the PLC vendors into making security a higher priority. "We kind of view this as just a first step maybe to help prod the industry to move forward to do something about it," he said, asserting that "a large percentage" of the flaws were known to the PLC makers who had "chosen to live with" them.

For more:
- see Kim Zetter's article at Wired

Related Articles:
Consultant: Companies running critical infrastructure take months to patch holes
Report: Majority of software programs lack acceptable security
Thinking about security from the beginning