SC Magazine has an article up that a security researcher has "released" an exploit for the CitectSCADA vulnerability announced earlier this summer. I've written about the challenges around SCADA systems before, and we continue to monitor this space, so the article caught my attention.
I have little doubt that the original vulnerability was serious, and all indications are that it was taken seriously, if not by the press then at least by Citect and their customer base. This newly released "exploit" seems a bit over the top to me, as do a couple of quotes in the article. Here's an example:
"As a result of the need for real-time business information, it is becoming increasingly popular for the plant network to connect with enterprise networks and the open internet."
I don't know Brian Ahern, and far be it from me to say that companies, industrial or otherwise, shouldn't secure their networks. But is Mr. Ahern truly making the allegation that power companies are giving their industrial control systems unfettered access to the public Internet? Seems a bit of a stretch. The stretch gets even broader when a look at the code shows a high ephemeral port related to ODBC connectivity. Is there really any company that allows incoming connections on ephemeral ports to internal systems? Much less industrial control systems running SCADA applications? None of the utility guys that I've had the opportunity to meet does.
Given today's landscape, what seems a more likely vector is a bot or otherwise malware-infected host already inside the company's perimeter. Put another way, given that we're in an election year, "It's the Inside, stupid."
By all means, take this vulnerability seriously. By all means, leverage perimeter security devices (if you don't already) to protect critical infrastructure devices from the public Internet. But you should also secure your network from the inside out, not just from the outside in.
