Security experts put pressure on industrial control system makers
According to a report on Wired's Threat Level blog, a group of security service providers have published exploits for security vulnerabilities in components used in industrial control systems that could be used to compromise or disrupt these systems. Controversially, the group did not inform the vendors of these holes before making the announcement, thus giving them no opportunity to provide their customers with patches for the vulnerabilities.
The group, which includes such well-known security researchers as Dillon Beresford, Ruben Santamarta and Dale Peterson, state that their intention is to show companies operating critical infrastructure just how easy it is to hack their systems. The researchers say that they hope to generate a similar sense of shock to the SCADA community as followed the release of Firesheep last year. Firesheep was a Firefox add-on which was able to steal cookies belonging to other users sharing a Wi-Fi network and use them to log onto web sites. Because of its high level of user friendliness, many web sites considered the risk of widespread use to be sufficiently high that they felt obliged to switch from unencrypted HTTP communication to SSL encrypted HTTPS.
The current case involves programmable logic controllers manufactured by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering. According to information released by the group, the vulnerabilities include backdoors, hard-coded passwords and a lack of authentication when loading code. Some of these devices, such as the model from GE, have been on the market for 20 years.
The researchers said that they had not informed the vendors of the security vulnerabilities they had discovered in advance, as they wanted to avoid the same kind of difficulties Beresford had experienced with Siemens last year. Beresford found himself forced to cancel a talk on vulnerabilities in Siemens products following intervention by the company. According to Dale Peterson, the manufacturers were already aware of many of the vulnerabilities which have now been revealed, but had simply "chosen to live with" them.
The group has received some criticism for publishing the vulnerabilities. The head of the DHS' Control Systems Security Programme noted that, while they promote the disclosure of vulnerabilities, they believe that this should take place only once a solution to the problem is available. German SCADA security specialist Ralph Langner told US media that, while he hoped for a positive outcome to the experiment, he would not have published the exploits in this way.