Just one interview on the October 2011 Edition of This Month In Control System Security, but it is one of my favorites in the series and a must listen. Terry McCorkle and Billy Rios recently presented “100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software. In fact they found 665 bugs, 75 of which were easily exploitable, in 76 HMI and other ICS software applications that were freely downloadable from the Internet. They handed them all over to ICS-CERT, and the results are trickling out with advisories and patches already for Iconics, Siemens, Rockwell Automation and others.
The Derbycon presentation spent a lot of time on what ICS is and why it is important. Loyal readers and listeners here already know this. So this podcast focuses on the security vulnerabilities, how they were found, how long it took, what tools were used, some common findings and how these vulns could be extrapolated in an attack.
Two areas we talk about in detail are vulns identified through file format fuzzing and ActiveX vulns. These are two areas that don’t get much attention but seem to be fruitful ground for an attacker. The file format fuzzing is highly interesting because the community to date has focused on protocol stack fuzzing including certifications like Achilles and ISASecure. We need to ramp up the efforts for vendors to add file format fuzzing to their SDL, although I know of two vendors that have been doing a lot of this testing in QA.
This Month in Control System Security is brought to you by: