Russian security team to upgrade SCADA exploit tool

Gleg plans to add the latest public SCADA exploits into a penetration testing tool from Immunity

A Russian security company plans to release an upgraded exploit pack for industrial control software that incorporates a raft of new vulnerabilities released by an Italian security researcher.

The three-person company, called Gleg, is based in Moscow and specializes in vulnerability research. It recently began focusing on problems within SCADA (supervisory control and data acquisition) systems, which are used in factories, utilities and many other kinds of industrial applications, said Yuriy Gurkin, Gleg's CEO.

Gleg works with the Miami company Immunity, which sells a tool called Canvas, which is a framework for penetration testers wanting to try out the latest exploits against software vulnerabilities, along the same lines as the Metasploit tool.

Gleg supplies Immunity with exploit packs, which are add-ons with specific kinds of exploits, for Canvas. Gleg's main product is Agora, which integrates with Canvas. Agora is regularly updated with publicly disclosed zero-day, or new vulnerabilties and those discovered by its research team.

Canvas allows companies to figure out what kind of information a hacker could obtain, said Dave Aitel, CTO for Immunity.

"If you can't test against zero days, then you are not testing against a real-world situation," Aitel said.

About two weeks ago, Gleg released Agora SCADA+, a new add-on for Canvas, Gurkin said. It contains 27 exploits for SCADA software and will mostly likely have around 35 exploits when an upgrade is released next week, he said.

Gurkin said Gleg is incorporating the exploits written by Luigi Ariemma, who found about 50 vulnerabilities in four SCADA products made by Siemens, Iconics, 7-Technologies and Datac. All four companies had products with remotely exploitable vulnerabilities.

On his website, Ariemma self-published vulnerability details, which were also published on Bugtraq. He did not inform the vendors prior to releasing the information, something that is considered bad form by some in the security community. Officials at two of the vendors -- 7-Technologies and Datac -- said earlier this week they were working on patches.

Gurkin said he believes responsible disclosure practices are out of date.

"We, like Luigi, don't notify vendors," Gurkin said. "This is a waste of time."

However, Gleg's partner Immunity does vet organizations that are interested in buying Canvas to verify they are not going to use the product in a malicious way.

Gurkin said he has seen increasing requests from companies for SCADA audits. "Sometimes our partners who use different SCADA software ask us to check something they have, with terms like 'You give us recommendations, we give you access to the system'," he said.

The high-profile Stuxnet malware has also prompted wider concern, he said. Stuxnet is a worm that was designed to target Siemens' WinCC industrial control software. It was packaged with four zero-day exploits for Microsoft Windows. It is now widely believed that Stuxnet was designed to disrupt Iran's uranium enrichment program.

SCADA software was often not intended to be connected to the Internet, but nonetheless more companies have done that anyway, which poses security risks, Gurkin said. Companies in the SCADA field are also not as open as other software companies about exchanging security tips and knowledge, he said.

A three-month subscription for Agora SCADA+ costs $2,250, which includes updates to the exploit pack and a single license for the Canvas framework. A one-year subscription costs $5,400 and also comes with one Canvas license.

Send news tips and comments to jeremy_kirk@idg.com

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies