HD Moore recently published a blog entry highlighting some serious vulnerabilities in VxWorks – – an operating system used by a number of field devices in SCADA and DCS. What does and doesn’t this mean?

  • This has little or no impact on the security of control system field devices. Not because they could not be vulnerable to this attack, but almost all field devices lack even basic security that an attacker does not need an exploit to compromise a field device. Control system protocols deployed today lack basic authentication so anyone that can ping a PLC can usually read or write to that PLC. As we have discussed and demonstrated before, most have a firmware upload feature that is not authenticated. So a more sophisticated attacker can load his own code on the PLC as we demonstrated with RA’s ControlLogix and a Direct Logic Koyo box. I feel like I’m channeling Ralph Langner here – – why would attacker bother with an exploit when they can just access the field device and do whatever he wants.
  • It is more evidence that security talent of all hat colors are looking more closely at control system related devices, applications and OS. This area has some sizzle now. People outside the community are focusing on items they have access to such as downloadable HMI’s and widely used OS. The fact that we are not seeing these types of exploits for the SCADA / DCS / EMS server applications is because they are harder to get without signing a lot of limiting legal documents.

One other thought – the lack of progress in improving field device security is disappointing and a bit baffling. Applications on servers and workstations have improved dramatically, although there is still a lot of work to do. Access gateways and industrial network infrastructure devices are now available with robust security. However if we look at the security on the actual field device it is largely unchanged from ten years ago. I can only surmise that field device vendors are still only receiving token pressure to improve security.