Security researcher finds, publishes SCADA vulnerabilities

Added by Erik West on September 15, 2011

A security researcher found and disclosed on Tuesday a number of software vulnerabilities, including vulnerabilities in SCADA systems used in manufacturing, power, and other industrial applications.

In a statement on the researcher’s About page, Luigi Auriemma said “I like free informations and I try my best to release everything (interesting or not) I make or find each day because probably in all the world exists at least a person that is searching just what I have made.”

The vulnerabilities the researcher found include SCADA (Supervisory Control and Data Acquisition) industrial control systems by companies that include Cogent Real-Time Systems Inc, AzeoTech, Inc, Progea Srl, Carel Industries Srl, and Rockwell Automation. Control systems are used in industries like aerospace, manufacturing, automotive, energy and gas, building automation, and even entertainment.

The researcher published his findings on his personal web site. The vulnerabilities include a description of the affected application , the name of the company that makes it, the version number, type of vulnerability, steps to reproduce (or trigger) the vulnerability, and code that developers can download to test and verify vulnerabilities.

Auriemma, on his About page, said about his research, “…I find bugs, I don’t create them, the developers are the only people who create bugs (indirectly naturally) so they are ever the only responsible. Sometimes I’m able to create patches or work-arounds…””

Vulnerabilities are important because they are weaknesses in software that can allow an attacker to influence the software’s data or its capability to execute instructions and is related to computer and information security.

In recent years software vulnerabilities have transformed from annoyances to security risks as the number of computers and vulnerabilities increases with thousands of vulnerabilities reported and corrected each year. The majority of vulnerabilities affect personal computers, email systems, and others and are usually reported to software vendors long before being made public. Auriemma published vulnerabilities directly on his personal web site.

On his site’s About page Auriemma says, “I simply do my research on my computer and I’m happy that people use and learn from it. As everything in the world is not possible to control the usage of what we create … so for me is only important that my research has been useful or interesting.”

SCADA systems became broadly known about one year ago, during July 2010, when a specialized computer virus infected SCADA systems in Iran, and several other countries, that managed nuclear facilities.