On Monday of this week, security researcher Luigi Auriemma published 34 SCADA exploits on several SCADA HMI software applications including:
Siemens Tecnomatix FactoryLink
Iconics Genesis32 and Genesis64
What I found interesting is that he admitted that he knew nothing about SCADA before uncovering the vulnerabilities. If a security researcher who admitted to not having any expertise or history with SCADA systems can find these security vulnerabilities and write exploits for them, what can a motivated attacker do? Stuxnet showed the world that anything is possible, and this latest list of exploits prove that SCADA will continue to be a target-rich environment for attackers.
Another lesson that this is teaching us is that the ideal team for building SCADA exploits would involve expertise from both the control systems and cyber security researcher communities. If you could blend both expertise and skill sets into one person, I would imagine a Control System Engineer with pocket protectors and a hacker mohawk :)
All jokes aside, this latest news simply confirms that we need more dilligence in securing these vulnerable SCADA software applications and protocols. Don't point the finger at the vendors. Yes, they have a responsibility to the community to create and support secure code, but ultimately the responsibility for securing these infrastrucutres lies with the asset owner and system administrator. While waiting for the control systems vendors to get a clue and start creating more secure software and firmware, asset owners can stand up test environments, test security patches, and try to maintain their systems to the latest security patches allowed. Asset owners can also use secure architectures and perimeter controls to limit access into the SCADA networks where these vulnerable applications are installed.