Over the weekend the code for the CitectSCADA exploit was incorporated into Metasploit project. I find this of zero surprise. This has been out for sometime. There is no surprise that this came to pass. OK, maybe surprise from various control operators. Short story, every script kiddie now has a chance to play SCADA hacker. Maybe they’ll even put on a crappy presentation at Defcon. Nope, scratch that. Been done.
OK, show of hands. Who didn’t see this one coming? C’mon now. Be honest. OK, for everyone who put their hands up. Please see “Knuckles” out by the loading dock to collect your prize. What’s that? Oh, right. Knuckles wants to make sure you understand that its nothing personal.
From The Register:
The exploit code, published over the weekend as a module to the Metasploit penetration testing tool kit, attacks a vulnerability that resides in CitectSCADA, software used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. In June, the manufacturer of the program, Australia-based Citect, and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia warned the flawed software could put companies in the aerospace, manufacturing and petroleum industries at risk from outsiders or disgruntled employees.
This is really not rocket science. SCADA systems by and large are rife with problems. The culture of silence in the SCADA community would make La Cosa Notra proud. That being said I know of a few folks that have zero day exploits and have tried, at least in one instance, to contact the vendor. CitectSCADA basically slammed the door on one researcher. Great bridge building exercise with a researcher who is trying to help you.
But, I digress. My point is simple. The security community has tried time and again to help. Only to routinely be looked down on by certain halfwits on the SCADA mailing list. Sadly, I think this may be the only way to ever get things accomplished.