Last week an Italian researcher, Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products. “Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.” according to the Eric Byres of Byres Security on their blog The Italian job!, on 23rd March 2011.
Last Friday Joel Langill CSO of SCADAhacker.com blogged on Protecting your ICONICS GENESIS SCADA HMI System from Security Vulnerabilities as they published a white paper providing six actions (also known as compensating controls) that users of ICONICS GENESIS products should take to protect their systems. Operators of other HMI products were advised to consider similar measures.
This morning Byes and Langill have released another White Paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, that may be important in protecting Industrial Control and SCADA Systems.
This paper analyses the vulnerabilities of the 7-Technologies IGSS SCADA/HMI system published by Auriemma. Moreover they state even if readers do not have this vendor’s products, it may be helpful to review the six Compensating Controls recommended, and apply ones that are relevant for their systems. They say: “Initial analysis seems to indicate that these vulnerabilities only affect IGSS Versions 8 and 9. This is due primarily to the fact that these vulnerabilities focus on a single IGSSdataServer application that is not believed to have existed in prior versions of the software. Until the vendor has posted an official response to these vulnerabilities, increased security diligence should be used based on the recommendations provided in this document.”
Due to the sensitive nature of this white paper, Analysis of the 7-Technologies IGSS Security Vulnerabilities for Industrial Control System Professionals, you must be logged in to the tofino.com site to access it.
See also: SCADA Vulnerabilities for 7-Technologies on the ISS Source website.