Security researcher Reid Wightman from the firm ioActive has found an undocumented back door in CoDeSys, the management software used by 261 different manufacturers of ICS devices. The back door gives full access without requiring authentication and has prompted the US Department of Homeland Security's ICS-CERT to issue an alert (PDF).
We've discussed ICS on the Patch Monday podcast before, including the Stuxnet operation against Iran's uranium enrichment program, how an air gap doesn't work to protect networks any more, and even war studies academic Thomas Rid reckons that cyberwar will not happen.
But hackers are getting smarter and, by the time you read this, it's likely that a module to detect Wightman's newly-discovered vulnerability will have already found its way into automated hacking tools. Doesn't this change the balance of power?
On Patch Monday this week, we discuss this latest ICS vulnerability, and industrial control security in general, with two Canadian experts on the subject who blog and podcast at liquidmatrix.org: James Arlen (known as myrcurial) and Dave Lewis (known as gattaca).
"The important thing to remember in all this is that the size matters," Arlen said.
"When we've got this huge quantity of potentially-affected systems, [it] could be something that runs an elevator, it could be something that runs a cookie manufacturing plant, it could be something that runs a chemical plant, and we know what happens when chemical plants go bad, it could be something that runs a power station," he said.
But it's not something that runs an entire oil pipeline or power grid, because that level of orchestration is done through SCADA.
"Essentially, these are the Arduinos of the manufacturing world. They're the device that provides the integration between something physical and the electronic world," Arlen said.
As Lewis explained, these systems were never really designed for security.
"Control systems engineers are very good at keeping power systems on," he said. "The security aspect of it gets lost, because the code was not written with that in mind, but I'm hoping that over time, that is actually is going to be corrected."
That correction is a long term project, because ICS devices can be in the field for decades and generally aren't set up for automatic software updates. There's also quite a cultural shift involved.
"The problem is pervasive throughout the industry," Arlen said.
But both Arlen and Lewis play down the risk of massive society disruption through an ICS attack.
To leave an audio comment on the program, Skype to stilgherrian, or phone Sydney +61 2 8011 3733.