Reading time is around minutes.
Remember when we told you about the security holes in the supervisory control and data acquisition components (SCDA)? Well it looks like there are even more to be found out there in the wild. If you are surprised by this then you must have just crawled out from under a nice big rock. After all most of these components have not been upgraded in decades or are manufactured by companies that still believe that these components are not reachable.
Thanks to a 30-year old Italian researcher named Luigi Auriemma this problem is being brought to light. Most of the companies that are seeing this light are having pretty much the same reaction as you get when you stumble out into the day after a serious night of partying. They are closing their eyes and trying to ignore the big light in the sky. Auriemma, has been finding these new holes at an alarming (to the industry not to many security researchers) rate. He unveiled over 30 in March and has tossed out a few each month since then.
The holes tend to center around the PLCs or Programmable Logic Controllers. These are the devices that do all the heavy lifting and can be used to operate valves, motors etc. In short these are the parts that are the most critical in terms of the need to keep them secure. The odd thing about these new security holes is that when the need for connected SCDA, DCS and PLCs came around no thought was given to make sure they were secure. Then as the threats on the internet grew the manufacturers continued to ignore the need for security. It is a sad state of affairs to find that the majority of the major control systems in the US (and other countries) is connected to the internet without a thought for security.
There is good news though, some of the manufacturers appear to be starting to make a shift to thinking of these devices as the connected systems they are. This means they are preparing for better security precautions and building new software to help make unauthorized access more difficult. The question that has to be asked is; if they have waited so long are these companies up to the task of competing with the current crop of “bad guys”?
Discuss in our Forum
Latest from Sean Kalinich
- ConnectWise Slash and Grab Flaw Once Again Shows the Value of Input Validation We talk to Huntress About its Impact
- Social Manipulation as a Service – When the Bots on Twitter get their Check marks
- To Release or not to Release a PoC or OST That is the Question
- There was an Important Lesson Learned in the LockBit Takedown and it was Not About Threat Groups
- NetSPI’s Offensive Security Offering Leverages Subject Matter Experts to Enhance Pen Testing
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.