Aaron Ferber can now add bug detective to his resume. The cyber security software engineer at Oak Ridge National Laboratory discovered a bug, or vulnerability, in commercial SCADA software, resulting in a finding on the Common Vulnerability Enumeration, or CVE, database.
“It’s a cool thing in vulnerability research to publish and disclose to CVE,” said Ferber. “I’m happy to have done it.”
SCADA software is used to monitor large machines and systems. Commonly, this helps technicians to oversee operations in critical infrastructure plants and to know if the system is running correctly or where a problem may be.
Ferber sought to enter PWN2OWN 2022, a competition that rewards discovery of vulnerabilities in proprietary software. He spent six weeks searching through code of a specific SCADA product, AVEVA Edge, to find ways a hacker could gain access or steal data.
He described the initial discovery as “having a bad smell,” which led to further investigation and, ultimately, discovery of the complete picture. What he found could allow remote attackers to execute their own code on infected AVEVA Edge systems without the user’s knowledge. “When I saw the universal scripting language, VBscript, which is code that interacts with the underlying operating system without built-in constraints or safety checks, I knew I was onto something big.”
Ferber started his career a decade ago as a software engineer. Through internships with his alma mater — the University of Tennessee — and ORNL, he learned how to understand the structure of software development and cybersecurity. He became an ORNL employee in 2015 and now works as a vulnerability researcher, a position that allows him to review existing code for weaknesses.
Ferber’s research is part of an emerging area of expertise at the laboratory.
“ORNL is fully committed to vulnerability research,” said Shaun Gleason, division director for ORNL’s Cyber Resilience and Intelligence. “We established an R&D group in this field and are growing our capability through investing in business development, hiring new staff and offering vulnerability research training for staff across the division.”
Now that he has caught the bug, Ferber plans to participate in future PWN2OWN competitions while keeping an eye on the broader impact of his work. “For national security, it is important to secure our critical infrastructure from cyberattacks.”
UT-Battelle manages ORNL for the Department of Energy’s Office of Science, the single largest supporter of basic research in the physical sciences in the United States. The Office of Science is working to address some of the most pressing challenges of our time. For more information, please visit energy.gov/science. — Liz Neunsinger