Friday, December 19, 2008

Raising Infrastructural Awareness in 2008

Before 2008 nobody had done any high visibility vulnerability research and exploit development against critical systems used to maintain our critical infrastructure.  In early to mid 2008 that all changed.  Initially Core Security released a security vulnerability for Citect SCADA. That security vulnerability got media attention because it was one that could be used to penetrate into important control systems that are used to control our infrastructure. (Electricity, Water, Gas, Oil, etc).

When the vendor released their statement about the vulnerability they downplayed the criticality of the issue in a very significant way.  In our opinion that downplay was borderline unethical and was an attempt to save face.  Fortunately for all of you who rely on electricity, running water, etc, we weren't going to stand for that.  More specifically, Kevin Finisterre our lead researcher wasn't going to stand for it. 

At first Kevin and I tried talking to the engineers about the criticality of the vulnerability.  That discussion got us nowhere fast, the engineers simply didn't want to hear it and didn't want to assume responsibility for the problem.  At that point Kevin decided to take the game to the next level, and this time the actual risk for the vulnerability would be proved. 

Kevin decided that he would write an exploit for the Citect SCADA vulnerability, after all the vendor said that it was a low risk issue right? So Kevin did just that, he wrote an exploit and published it to the Metasploit Framework.  Once word of that got out, the attitudes at Citect and those of the engineers changed so fast that heads spun.  All of the sudden this non-critical issue was a critical issue and something had to be done.

So why was it so important for us to do that? Why did we feel that it was the ethical thing to do?  Here's why....

An exploit had already been created by a few other people and was in circulation. So the bad guys had it and the good guys didn't.  When Kevin published the exploit he evened out the playing field and gave the good guys the same caliber guns.  When the good guys fired the gun the reality of their vulnerability was very apparent and only then did they jump to work on the issues. That said, some of them are still vulnerable. 

Through out 2008 we kept on researching SCADA vulnerabilities and other security issues related to Infrastructural systems.  As it turns out we caught a lot more interest than we thought we would have, and we had a much bigger impact on the industry than expected. Today Citect is taking security very seriously and many government agencies have become very aware of these risks. 

Here is a podcast where people reference the work that we've done with vulnerability research and exploit releases. They never directly mention our names (go figure) but we all know who they are talking about. 

No comments:

Post a Comment