The security of critical infrastructure is in the spotlight again this week after a researcher released attack code that can exploit several vulnerabilities found in systems used at oil-, gas- and water-management facilities, as well as factories, around the world.

The 34 exploits were published by a researcher on a computer security mailing list on Monday and target seven vulnerabilities in SCADA systems made by Siemens, Iconics, 7-Technologies and DATAC.

Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution that the vulnerabilities could still allow an attacker to gain a foothold on a system to find additional security holes that could affect core processes.

SCADA, or Supervisory Control and Data Acquisition, systems are used in automated factories and in critical infrastructures. They came under increased scrutiny last year after the Stuxnet worm infected more than 100,000 computers in Iran and elsewhere.

The worm was designed to target a specific component known as a programmable logic controller, or PLC, used with a specific Siemens SCADA system. It was widely believed to be aimed at a PLC controlling centrifuges at the Natanz uranium-enrichment plant in Iran.

The exploit codes released this week were posted to the Bugtraq mailing list on Monday by security researcher Luigi Auriemma who wrote that he knew nothing about SCADA before uncovering the vulnerabilities in a series of tests. Auriemma told the Register that he published the vulnerabilities and attack codes to draw attention to security problems with SCADA systems.

His move got the attention of U.S. ICS-CERT, or Industrial Control Systems–Computer Emergency Response Team, which subsequently published advisories for the vulnerabilities.

The systems that are affected include Siemens Tecnomatix FactoryLink, Iconics, Genesis32 and Genesis64, DATAC RealWin, and 7-Technologies IGSS.

The Iconics and DATAC systems are most heavily used in the United States, according to Joel Langill, a control-systems security specialist. Langill says the Iconics systems are used in the oil and gas industry in North America, and the DATAC system is often found in municipal wastewater management facilities. He is not aware of any of the programs being used at important nuclear facilities.

“Most of these don’t tend to be high-reliability products,” he said. “And in nuclear you need high reliability.”

Of the 34 attacks Auriemma published, seven of them target three buffer-overflow vulnerabilities in the Siemens system, an old legacy system that Siemens plans to stop supporting next year. One of the attacks against the Siemens system would simply result in a denial-of-service, but the other two would allow an attacker to remote-copy files into the file systems, according to Langill.

“As a proof of concept, that could actually be very dangerous, because it would allow you to drop in a malicious payload,” he said. “I would want to patch that fairly fast.”

The Iconics system involves 13 attacks — all targeting one vulnerable process. Langill said these were the least-developed attack codes Auriemma released. None of them would allow an intruder to execute code on the system.

The 7-Technologies IGSS attack involves eight different exploits targeting two vulnerabilities in that system. Langill considered these the most impressive, noting that at least one of the attacks would allow remote execution of malicious code on the system.

“It was very easy to drop files onto the host,” he said about his test of the code.

The DATACS system involves seven attack codes targeting one vulnerability.

Although the attacks don’t target programmable logic controllers directly, they would allow an attacker to mask what an operator sees on his monitor, by changing data that appears on his screen. Therefore, if an attacker can find and attack vulnerabilities in a PLC connected to these systems, he could make it appear to the operator that everything is functioning on the PLC correctly.

“I could download operator graphics to my system, modify them and then upload those modified graphics to the operator,” Langill said. “Idaho National Labs has shown that to be a very effective attack vector to fake out the operator.”

Langill said, however, that the likelihood that any of these vulnerabilities would be attacked remotely is low, because such systems are generally not connected to the internet.

But the bottom line, Langill says, is that Auriemme showed that even someone with no knowledge of SCADA could, in a very short time, take SCADA software that is easily obtained by anyone and generate exploits that could reasonably impact operations.

“He’s done the hard part to give someone a way into the system,” Langill said. “Someone else who knows the system can now go in and find a way around in it, to launch the malicious act.”

UPDATE: Story updated to correct the misspelling of Langill’s name.

See also