"The most interesting thing about these bugs was how trivial they were to find," Portnoy wrote in the blog post. "The first exploitable 0day [previously unknown vulnerability] took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison."
In fact, according to Portnoy, it was more difficult to obtain the software than it was to find flaws in it. "I used a different approach to retrieve software for the various SCADA vendors," he said via email. "Some of them had trial software available to interested parties, others I had to dig up FTP credentials in some obscure document on their support portal. I did my best to ensure that I was auditing the latest version of the software I looked at."
Portnoy hopes that his findings partially overlap with those of ReVuln, because unlike ReVuln, he plans to report the vulnerabilities to ICS-CERT, which will then coordinate the disclosure with the affected vendors.
He would like to see ICS-CERT create a repository of SCADA software accessible to researchers who practice responsible disclosure. Even a list of software that's most important to audit would help, he said.
"I have a problem with nondisclosure," Portnoy said. "I don't think it does the industry or the general populace any good to purposely not allow a vendor to fix vulnerabilities by withholding information, which is why we responsibly disclose all of ours."
Much like ReVuln, Exodus Intelligence sells information about unpatched vulnerabilities through a subscription-based service. However, the service is aimed at helping companies defend their systems against attacks targeting such vulnerabilities until the software vendor is able to provide a patch.
The company always notifies vendors about the flaws before sharing information about them with its customers, Portnoy said. "All our clients are under a strict contract disallowing them from doing anything externally offensive with the information, besides testing their own defensive mitigations while the vendor works on a patch."
Exodus' reports include detailed analysis of the issues, an assessment of their risks, mitigation recommendations and sometimes exploit code. "We supply exploits for these issues because we've seen a history of defensive vendors basing their output on simple proof of concepts, and that does not yield realistic protection."
Portnoy is not the only researcher who had the idea of independently finding the vulnerabilities showcased by ReVuln and reporting them to vendors.