Following the industrial control system attack of Iran’s nuclear facilities dubbed Stuxnet, vulnerability researchers have intensified their scrutiny of the software that runs these industrial systems, known as SCADA systems. The results are unsettling. Given the danger of vulnerabilities in the software that controls power and water systems and industrial plants you would expect vulnerabilities to be rare. It is just the opposite. Common vulnerabilities listed in the CWE/SANS Top 25 Most Dangerous Software Errors such as SQL injection (#2), Buffer Overflow (#3), and Use of Hard Coded Credentials (#11) have been found in SCADA systems over the last few months. A visit to the ICS-CERT website shows the discouraging results. I believe these public disclosures are the tip of the iceberg as there are not as many researchers focussing on SCADA as there are focussing on common consumer and business software.
The latest revelation comes from ICS-CERT which alerts the industrial control system community to serious vulnerabilities that put them at risk. An exploitable buffer overflow has been discovered in a component of ICONICS GENESIS32 and BizViz products. This component is called an ActiveX control and is often used in cases where a web based user interface needs to interface with another piece of a software control system. ActiveX controls are commonly used in the UI for control systems built using the Microsoft Windows platform.
Buffer overflows in ActiveX controls are a serious vulnerability which came to light about 10 years ago. Back in 2001 the only solution to this problem was time consuming manual code review or manual testing. But in 2011 there is a much better solution to the buffer overflow problem known as static code analysis. All software written in C or C++ needs to be tested for buffer overflows using static code analysis before it is delivered to customers.
Those interested in learning more about testing for vulnerabilities in ActiveX controls can read a free chapter on Local Fault Injection from my book, The Art of Software Security Testing. For the safety of our critical infrastructure I hope the software engineers at Iconics will read this and consider security testing of their code.
The purchasers of industrial control systems and other business critical systems should begin to ask their vendors if they have performed security testing before software is delivered to them. Since static analysis can find the majority of the vulnerabilities in the CWE/SANS Top 25 Dangerous Software Errors there is no excuse for important software not to be tested.