A recent article in scmagazine.com.au stated that unpatched versions of SAP software can be exploited and thus give unauthorised access to a SCADA system.
Knowing that “Hundreds of organisations have been detected running dangerously vulnerable versions of SAP that are more than seven years old”, we can generally assume that there are many more organisations worldwide that are running other vulnerable software packages.
Malicious hackers are able to learn the vulnerabilities of software, for example, by analysing the security patches using reverse engineering, among other techniques. With this knowledge they can develop new malicious software that is able to exploit vulnerabilities in all unpatched versions.
Increasingly, SCADA systems are being managed through the Internet or using machines that are connected to others used for general purposes. In the article the security expert Alexander Polyakov says: “You need to do your HR and financials with SAP, so [if it is hacked] it is kind of the end of the business. If someone gets access to the SAP they can steal HR data, financial data or corporate secrets … or get access to a SCADA system”.
We can conclude that the job of protecting SCADA systems is strongly dependent on the protection of all software that is used by an organisation. But do not assume it is enough. Even in the context of ModBus/SCADA, vendors’ responsiveness has room for improvement. In a recent vulnerability report of Schneider Electric Multiple Products Modbus Serial Driver MBAP Packet Parsing Buffer Overflow, the following timeline is presented:
2013/01/05 Vulnerability discovered.
2013/01/08 Vulnerability reported to ICSCERT.
2013/01/24 Vulnerability acknowledged by Schneider Electric.
2013/03/11 Vendor publishes security notification prior to fixes being ready.
2013/03/13 ICSCERT provides status update.
2013/04/10 Alerts published for OSVDB and RBS VulnDB Service2
2013/05/06 Publication of this vulnerability report.
In the corresponding OSVDB report we see that the patch was to be made available on the 17th May. The delay between the publication and the patch gives malicious hackers 11 days to exploit the vulnerability. And we are talking about systems used in Critical Infrastructures…