Researcher Exposes SCADA Software Vulnerabilities

Details of several vulnerabilities affecting the SCADA operating system used to control hardware at nuclear plants have been released online by an Italian researcher.

The researcher, Luigi Auriemma, has released proof-of-concept attack codes for the operating system that could have serious implications if not dealt with in time.

The security flaws detailed by the researcher are found in software programs based on the SCADA platform offered by companies like Siemens, Iconics, 7-Technologies, Datac, and Control Microsystems. Several of these flaws can be exploited by hackers to remotely execute malicious code and steal sensitive data stored in configuration files.

The flaws detailed by the researchers cover 34 vulnerabilities in software offered by four different vendors.

“SCADA is a critical field but nobody really cares about it. That's also the reason why I have preferred to release these vulnerabilities under the full-disclosure philosophy,” Auriemma said in a statement to The Register.

He hopes that his full-disclosure report might push the software vendors into action to patch the vulnerabilities in their products.

His move has prompted the US ICS-CERT (Industrial Control System Computer Emergency Response Team) to release four different security alerts related to the flaws revealed by the researcher.

“ICS-CERT recommends that users minimize network exposure for all control system devices. Control system devices should not directly face the Internet,” the organisation advised.