Wired reports a group of researchers have discovered serious security holes in 6 of the top industrial control systems used in critical infrastructure and manufacturing facilities. They have also made it easier for hackers to attack systems before they can be patched or otherwise remediated. They’ve packaged up the exploits in nice little modules for the MetaSploit tool so that any script-kiddie or organized crime team can just point and click.
The vulnerabilities exist in programmable logic controllers made by GE, Rockwell, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories. Apparently, the SCADA vendors were not quick enough for the researchers’ liking to acknowledge the vulnerabilities or release patches. PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants, gas pipelines, nuclear, and manufacturing facilities.
The various vulnerabilities provide backdoors, as well as authentication and encryption by-passes that could allow attackers to gain access to systems, and the ability to send malicious commands in order to crash, halt, and interfere with specific critical processes, such as the opening and closing of valves.
Nice… Time to examine your SCADA environments and mitigate these vulnerabilities ASAP, and start elevated monitoring. I don’t believe that this is the way to move vendors forward, but that is just me I suppose. What do I know? I wonder if there are any good litigation lawyers out there that might want to monitor the exploitation of some critical infrastructure and take action against those who provide such tools to the masses when harm is done to the public?