Feeds

SCADA security bug exposes world's critical infrastructure

Oil, food and plane industries at risk

Next gen security for virtualised datacentres

Gasoline refineries, manufacturing plants and other industrial facilities that rely on computerized control systems could be vulnerable to a security flaw in a popular piece of software that in some cases allows attackers to remotely take control of critical operations and equipment.

The vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. As a result, companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect's SCADA products may be exposing critical operations to outsiders or disgruntled employees, according to Core Security, which discovered the bug.

Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch. In cases where installing a software update is impractical, organizations can implement workarounds.

In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet.

But "in the real world, in real scenarios, that's exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business," said Ivan Arce, CTO of Core. "Those networks in turn may be connected to the internet."

Wireless access points also represent a weak link in the security chain, he said, by connecting to systems that are supposed to be off limits.

It's the second vulnerability Core has found in a SCADA system in as many months. In May, the security company warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down by miscreants. Also last month, the organization that oversees the North American electrical grid took a drubbing by US lawmakers concerned it isn't doing enough to prevent cyber attacks that could cripple the country.

The scrutiny comes as more and more operators try to cut costs and boost efficiency by using SCADA systems to operate equipment using the internet or telephone lines. The technology has its benefits, but it may also make the critical infrastructure vulnerable to cyber attacks by extortionists, disgruntled employees and terrorists.

The flaw in CitectSCADA is related to a lack of proper length-checking that can result in a stack-based buffer overflow. Attackers who send specially crafted data packets can execute malicious code over the vulnerable system, according to Core, maker of the Core Impact penetration testing product. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?