Security firm showcases vulnerabilities in SCADA software, won't report them to vendors

The vulnerability information will be sold to private buyers as part of a commercial service, the company says

Malta-based security start-up firm ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors.

In a video released Monday, ReVuln showcased nine "zero-day" (previously unknown) vulnerabilities which, according to the company, affect SCADA (supervisory control and data acquisition) software from General Electric, Schneider Electric, Kaskad, Rockwell Automation, Eaton and Siemens. ReVuln declined to disclose the name of the affected software products.

SCADA software runs on regular computers, but is used by owners of critical infrastructure and other various types of industrial facilities to monitor and control industrial processes.

According to by ReVuln, the vulnerabilities it showcased Monday can allow attackers to remotely execute arbitrary code, download arbitrary files, execute arbitrary commands, open remote shells or hijack sessions on systems running the vulnerable SCADA software.

The attackers "can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service," ReVuln co-founder and security researcher Luigi Auriemma said Monday via email. "They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure."

The attacks can be executed from another computer on the internal network or, in many cases, from the Internet. Most of the products were designed to allow remote administration over the Internet, according to their documentation, Auriemma said.

It's also common to find such systems exposed to the Internet because of insecure configurations, the researcher said. "Shodan [a search engine that can be used to discover Internet-accessible industrial control systems] is giving us tons of interesting results about machines of big known companies that we can exploit remotely just at this moment."

General Electric, Schneider Electric, Rockwell Automation and the U.S. Department of Homeland Security, which operates the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) did not respond to requests for comment sent Monday.

"ICS-CERT has just contacted us some minutes ago requesting more details but we don't release information," Auriemma said. The vulnerabilities "are part of our portfolio for our customers so no public details will be released; they will remain private," he said.

Along with French vulnerability research firm VUPEN, ReVuln is among a few companies that openly sell vulnerability information to government agencies and other private customers and refuse to report the vulnerabilities their researchers find to the affected vendors so they can be fixed.

"The vulnerabilities included in our Zero-day feed [a subscription-based service] remain undisclosed by ReVuln unless either the vulnerability is discovered and reported by a third party or the vendor publicly or privately patches the issue," the company states on its website.

It's a somewhat controversial business model that has been criticized by digital rights advocates and various people from the IT security industry who argue that it makes the Internet less safe because the vulnerabilities remain unpatched and known to third parties who may be interested in exploiting them for offensive purposes.

However, the practice is not new. It's been known for years in the security research community that some companies and independent researchers are selling information about unpatched vulnerabilities to governments and other private buyers, but such transactions used to be done discreetly.

In the absence of additional details and vendor confirmation, it's hard to independently confirm the existence of these vulnerabilities. However, Auriemma's reputation as a prolific vulnerability researcher and his past work in the field of SCADA security lends credibility to his company's claims.

During the past few years, before creating ReVuln together with former RIM security researcher Donato Ferrante, Auriemma reported dozens of vulnerabilities in SCADA software.

"Luigi [Auriemma] has found many vulnerabilities in SCADA and ICS [industrial control systems] in the past, and I'm sure he will continue to in the future," said Dale Peterson, CEO of Digital Bond, a Sunrise, Florida-based company that specializes in ICS security research and assessment, Tuesday via email. "He is talented."

That said, finding vulnerabilities in SCADA software is not that hard to do, Peterson said. "The issue with these applications is they were developed without security integrated into the development process."

"It is similar to what Microsoft was doing in the 90s," he said. "Without a security development lifecycle you will see the common programming mistakes that lead to vulnerabilities and exploits over and over."

As far as ReVuln's business model is concerned, "Digital Bond's position is that the person who finds the vulnerability can decide what to do with it," Peterson said. "Report to the vendor, a CERT, sell it, publish it, or keep it for future use. We have done all of the above and make our decision on a case by case basis."

"It really doesn't matter if this is right or wrong for ICS or any market," Peterson said. "It is the way it is so there's no value in discussing responsible disclosure."

David Harley, a senior research fellow at security vendor ESET, said Tuesday via email that, while he belongs to a generation of researchers that prefers responsible to unrestricted disclosure, he can understand that vulnerability researchers expect something in return for their efforts.

However, if security researchers who find vulnerabilities in industrial control systems don't self-regulate or get support for their work through a government program, they run the risk of meeting legal and other forms of pressure because issues that can affect national security attract particular attention, Harley said.

"Vupen lays claim to a certain amount of self-regulation (in terms of being choosy about its customers): I don't know about Revuln, but at least what they're doing isn't full, promiscuous disclosure," Harley said.

"I can't say I feel comfortable with this, but it may be that legitimized and monetized research will work out better for the online world than multitudes of individuals and unofficial groups working semi-covertly," the ESET researcher said. "If so, let's hope too much damage isn't done while that market stabilizes."

As far ReVuln's customer selection process goes, Auriemma said the company "accepts trusted customers from reputable countries only."

Join the CSO newsletter!

Error: Please check your email address.

Tags siemensReVulnsecurityKaskadgeneral electricDigital BondRockwell AutomationesetExploits / vulnerabilitieseatonSchneider Electric

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place