Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done.
OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal.
From The Register:
The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.
This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you.
But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished.
Ive been in charge of our SCADA system for 20 yrs.
The number one rule, never allow a outside connection. Never.
@Doug
More people should listen to you.
🙂
Security Update from Citect
Sydney, Australia [September 9, 2008] – Citect has been made aware of the publication of code that could be used to exploit a vulnerability that could cause a potential security breach if deliberately executed against a CitectSCADA system. This code targets a vulnerability in Citect Windows-based control systems for which a patch was released in June 2008.
Since the original publication of this vulnerability by Core Security Technologies, Citect has been working with its customers to encourage, and help them, to apply the patch. To date, no customers have reported security breaches.
While all customers should be applying reasonable network security measures, Citect encourages customers not running the patch to contact Citect support or visit the company’s website and update their systems accordingly.
In the 21 year period over which Citect has been designing SCADA software, Citect has consistently recommended to its customers that they follow industry best practices in the development and implementation of control systems. In relation to security measures, Citect’s position on SCADA and process control network security has remained unchanged – SCADA systems, like any business systems, must be protected from unauthorized access. They must be secured by robust protection including firewalls, intrusion detection systems and VPNs.
In addition to revised internal security handling processes, Citect remains committed to working closely with security agencies, customers and partners to ensure its software meets their security guidelines. Revised measures underway include, but are not limited to, an independent code audit, the provision of customer site review capabilities, a new security and safety knowledgebase and RSS feed. In addition, Citect will soon release a new version of CitectSCADA that applies further enhanced security measures to the software as part of the company’s continued commitment to SCADA security.
“SCADA systems were originally designed and implemented before cyber security became the issue it is today, and so some SCADA systems are vulnerable when connected to the Internet,” says Christopher Crowe, Citect’s global CEO. “Citect is continuously striving to improve the security of its software and meet best-practice guidelines through the implementation of robust development and testing procedures.”
For further information on this or any related security issue, please visit Citect’s website or contact a local Citect representative.
@Watto
Lovely. Nothing like a PR firm pretending to be a commenter.
Quite the client list. Might want to be a tad less obvious next time Hannah.
Thanks for playing.