It looks like Luigi Auriemma did only a quick check of SCADA systems before he came up with a giant list of flaws. He has decided to post his initial findings to Bugtraq:

The following are almost all the vulnerabilities I found for a quick experiment some months ago in certain well known server-side SCADA softwares still vulnerable in this moment.

He points out in his post that he did not know anything about SCADA systems before the tests. Obviously that did not stop him from quickly finding many weaknesses.

Full-disclosure advisories and proof-of-concepts:
Siemens Tecnomatix FactoryLink:
http://aluigi.org/adv/factorylink_1-adv.txt
http://aluigi.org/adv/factorylink_2-adv.txt
http://aluigi.org/adv/factorylink_3-adv.txt
http://aluigi.org/adv/factorylink_4-adv.txt
http://aluigi.org/adv/factorylink_5-adv.txt
[…]

Open up factorylink_2-adv.txt and you will see the vulnerability levels can be very high — remote exploit.

CSService is a Windows service listening on port 7580.

All the file operations used by the service (opcodes 6, 8 and 10) allow to specify arbitrary files and directories (absolute paths) and it’s possible for an attacker to download any remote file on the server. Obviously it’s possible also to specify directory traversal paths.

First, to be fair, SCADA systems are often intended to live in a different world than other systems — single-user, single-role, etc. There may be a defense-in-depth or compensating control design to be considered that encapsulates a SCADA system. Langner talks about this some in his interview on Stuxnet. An unprotected CSService thus may have been built that way by design, to do one thing and do it well.

Second, I have found that critical infrastructure management can be dominated by a culture of data analysis. Staff are often told to punch holes into closed systems and environments to mine details needed for calculations. It can feel more like a financial firm trying to make real-time investment decisions than an engineering operation. Closed environments are under pressure to be opened in order for spreadsheets to run.

Third, the financially-focused managers boast about their speculation and risk-management skills. Yet they seem to rely more on faith than data analysis when it comes to risk relative to security controls. They raise defense-in-depth as a theory sufficient on its own instead of as a measured and managed practice to deploy controls more thoroughly. That usually means when you find a vulnerability like factorylink_2-adv someone will always emphasize my first point above and say “I believe that’s handled elsewhere.”

Putting the three above points together, the worlds of IT and SCADA are not nearly as separate and distinct as many want to believe. They must be managed to reflect this convergence or there is a risk of leaving gaps for attackers to exploit. Even worse, the depth of defense can go unmeasured and leave basic systems unprotected in environments exposed to high-risk multi-user threats.

That’s why Auriemma’s list should be taken seriously. Vendors need to secure their products, or at the very least test them for hostile scenarios and provide security warnings/guidance. The demand, however, really has to come from SCADA application consumers. I suspect that these full-disclosure vulnerability announcements will help improve the industry’s risk calculations — prove the value of paying for better security from the SCADA vendors. On the other hand, if management still does not get it, then regulations will probably have to tighten.

EcoModder tells of a hobbyist named Dave Cloud in the US who set himself a challenge: build an electric car for less than $3K that will go more than 200 miles on a charge. The base platform is a 1997 Geo.

The Dolphin was put together for a miserly $3,000, but can do impressive things for the meager amount of money that was used to create it. Running on used batteries, the car managed a 70mph top speed and overall range of upwards of 80 miles, despite the fact that curb weight is well over 3000 pounds.

Imagine the results if the car manufacturers or others donated a 2011 platform (or even a diesel-electric hybrid concept from 2005) and held a competition among hobbyists. Is that too pie-in-the-sky? Disclaimer: I love pie. Dave’s explanation of his limitations are quoted by EcoModder:

…my goal was to build a vehicle that can go 200 miles on a single charge with a speed of 60-65 mph for 85% of the miles, for under $3,000. I accomplished this goal. Because of my $3,000 limitation I made a lot of compromises in the chassis design hoping that the aerodynamics of the vehicle would make up for those inefficiencies. Inefficiencies such as front wheel bearings that rumble, back tires that are 10 years old and misshapen, single speed dual series motors (that were $100), no re-gen and inexpensive Curtis controllers.

I have watched vehicle automation contests, solar vehicle contests (which have produced Dolphin-looking cars)…is there a hypermile or mile-per-charge contest? I also have watched government leaders try to make a stupid parody out of innovation in automobile efficiency (golf carts never should have been allowed to count as a manufacturer’s low-emission “fleet” vehicle — it was a clever legal loophole exploited by GM but if it can’t safely travel over 65mph…bzzzzt, next).

This reminds me of two things. One, the muscle cars that many are buying today are big-box industrialized interpretations of hobbyist vehicles at the race track from the late 1960s. I would say 70s, but they fell way out of fashion by the late 70s because efficiency became the hobbyist market objective in the oil crisis (efficiency didn’t leave in the 1980s, but the big car manufacturers lost interest when OPEC partners started to fight and undercut each other). Second, the MP3 players in practically every stereo today are an industrialized interpretation of hobbyist stereos in the late 1990s (e.g. big kudos to the original MP3 Miata with a PC in the trunk).

Comparison of these two hobbyist movements can help predict innovation cycles and answer the question: when can I buy a Dolphin?

The cost of materials in a car has typically been the impediment to more competition, as well as safety regulations. Who can afford to ship iron and forge it into a chassis or axle, for example, other than a Ford or GM? This hurdle is overcome by hobbyists through reclamation of old vehicles. It also is overcome by lighter, stronger and more easily managed technology like carbon fiber or fiberglass or plastic. The electronics industry, on the other hand, is far more open to competition because sourcing the material is far less expensive and Moore’s law seems to always find a way in.

The adoption cycle of efficient electric vehicles thus could now be more like the MP3 than the muscle car and we will see a commercial attempt to market the Dolphin within ten years instead of thirty.

Some might say VW, with plans to overtake Toyota in total sales, is already on the right path with a sleek-looking 261 mpg diesel-electric hybrid at car shows.

Yes that looks like a 1992 Subaru SVX. Oh Subaru, I remember when you were actually cool for being the outsider in America with inexpensive all-wheel-drive and high mpg.

…or a Ford Probe, or a Honda Insight. Car manufacturers have certainly tested the water with efficiency and aerodynamic designs (and there are other 200 mile range electrics for more money) but I hope the Dolphin $3K challenge inspires home hackers and hobbyists as they are the ones most likely to innovate without fear of losing a few Escalade or Expedition sales.

Davi

The Department of Energy reports that the cleanup of nuclear waste in South Carolina is moving ahead and creating hundreds of jobs with the help of Federal Recovery Funds. It is a little more than half complete today.

Recovery funds are accelerating the cleanup of contaminated facilities, soil, and ground water at one of the nation’s key nuclear weapons sites.

During the early 1950s, the Savannah River Site (SRS) produced tritium and plutonium-239 to be used in the manufacture of nuclear weapons.

[…]

Since the 1990s, the Department of Energy (DOE) has been working to clean up contamination on the 310-square-mile site in South Carolina. Recovery funds totaling $1.6 billion are allowing DOE to accelerate these clean-up efforts. DOE says the Recovery funds — from six separate awards — will reduce the SRS footprint by 75 percent by 2012, seven years earlier than previously planned.

It is amazing how large of an area is contaminated or otherwise impacted by these nuclear facilities — 310-square-miles!

Just one segment of the project, which already is completed, had 23 buildings spread over 40-square-miles. Quick trivia check: 40-square-miles is the same as 25,000 acres and…

1. Twice the area of Manhattan, NY
2. The same area targeted in the 2003 hunt for Osama bin Laden
3. The same area as Walt Disney World Resort
4. The same area as the vacant, abandoned lots in Detroit, MI
5. All of the above

Imagine if $1.6 billion was earmarked by the federal government for the same 310-square-miles to fund innovation and production instead of just reclamation (making the area usable again). Although innovation and jobs for reclamation are notable, this is a good example of the back-end costs that are sunk into fixing pollution.