New SCADA Vulnerability Reports are Old News

It has been well known for some time that Supervisory Control And Data Acquisition (SCADA) software is even less safe than investing in Facebook. So why are SCADA vulnerabilities making news all of a sudden?

If I were a betting man I would put my money on money—money for companies that fix SCADA security problems.

Last week ReVuln, an Italian security firm, released a video showing vulnerabilities in SCADA applications from Siemens, GE and Schneider Electric, among others. (SCADA software runs systems at utilities, manufacturing plants and other critical points.)

Oh by the way, ReVuln is in the business of finding security flaws and then selling fixes. However, ReVuln’s service is not available to everyone and anyone. As NetworkWorld reports:

“ReVuln’s subscription-based feed service is not available to software vendors, but the security firm offers vulnerability assessment services to software manufacturers.”

ReVuln’s recent video was released just weeks after the Department of Homeland Security–always known for its tact and restraint–issued a report saying:

“Multiple threat elements are combining to significantly increase the [industrial control systems] threat landscape. Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”

ReVuln – SCADA 0-day vulnerabilities from ReVuln on Vimeo.

The report was released the same day ICS security vendor Digital Bond “published information about an undocumented software backdoor in industrial control systems sold by hundreds of different manufacturers and widely used in power plants, military environments and nautical ships.”

Do any of these videos, reports or warnings make us safer? Slightly, yes. But as several analysts have noted, the cost and scope of securing SCADA systems is astronomical. There is very little chance we can achieve any meaningful level of security for these systems. For now what we really have is détente, because nobody else’s systems are much better.

Another thing to keep in mind is that despite years of people yelling about the threat ICS/SCADA systems pose to the United States, I’ve only found one documented case of an attack: When the United States and Israel released Stuxnet on the Iranians.