Terry McCorkle’s presentation at DerbyCon, 100 Bugs in 100 Days: An Analysis of ICS (SCADA) Software is available online. He did this research in his spare time with Billy Rios, and it is informative technically and culturally.
The research focused on freely downloadable HMI’s from around the world. They found 380 HMI applications. They only had time to look at 76 of the 380 applications.
The results were staggering, but then again not too surprising for this type of software in the ICS space. McCorkle and Rios found 665 bugs that caused an application to crash. 75 of these bugs led to exploits, and McCorkle pointed out that they had so much information to go through that they focused on the easy exploits. There are likely more exploits in the 665 bugs.
A variety of fuzzing tools were used including Commraider, Sulley, FileFuzz and a new tool developed by the researchers called Blasty.py. Fuzzing found 590 or almost 90% of the bugs. They further broke the bugs down by:
- 360 resulted from file fuzzing
- 204 were ActiveX vulns
- 90 were web vulns
“Most of the bugs were straight out of the 90’s” according to McCorkle. Skip to minute 28 if you want to see some examples.
It is striking how much the DerbyCon audience is laughing at ICS security, albeit the beer was flowing. The number and simplicity of the exploits shown as demonstrations deserved the laughter. Who knows what the result will be of the growing knowledge and consensus of ICS security being laughable in the all-hat-color hacking community.
On one hand the research and interest in the area could be diminished if it is viewed as a minor technical accomplishment to find a SCADA exploit. Or it could lead the IT security community to move beyond HMI’s, better understand ICS and create a large amount of nasty exploit code. Again after the lost decade, it is unclear what would be better for the ICS community.
Terry gives ICS-CERT high marks and a lot of thanks for coordinating the vulnerabilities Billy and he found. The researchers did not want to deal with all the vendor issues and just turned the whole mess over to ICS-CERT. This matched Digital Bond’s experience that ICS-CERT does a good job coordinating disclosures when the researcher does not want to deal with the issue.
This ties into part of my upcoming presentation at ICSJWG on vulnerability disclosure. Do we really want the smart guys at INL/ICS-CERT spending time coordinating large numbers of HMI freeware vulns? They need to focus on the vulns and other security issues that could have a major impact on the critical infrastructure and pass on some of this work.
Most loyal blog readers can skip the first 13 minutes of the 40 minute presentation as it is an explanation of ICS as background for the IT security audience. He is a bit off on the level of segration or separation between the typical ICS and corporate network, but other than that it is an adequate introduction.
Minutes 17 – 22 to is when Terry goes over the statistics mentioned above.
Minute 22 is full of thanks and good words for ICS-CERT.
Minute 25 is interesting to see what a smart guy in IT security knows about SCADA and DCS. He shows an attack path with a user on the corporate network going through a firewall, which he indicated earlier is not common, to reach an HMI. This is not a common scenario, at least in critical infrastructure ICS. Corporate access is typically to some data that is pushed out to a DMZ. Sometimes a view only HMI application on a terminal server could be found in the DMZ. There are other items that could be pointed out as inaccurate. It is not an IT v. Ops comment, but a view as to what level top-notch IT security researchers understand about critical infrastructure control systems.
This doesn’t negate the scenario of compromising a box on the corporate network that is allowed through the corporate/ICS firewall. It would just likely happen in a different set of device-to-device exploits and pivots.
The 28 minute mark is where McCorkle starts showing some of the bugs/vulns if you want some technical meat.