SCADA security bug exposes world's critical infrastructure
Oil, food and plane industries at risk
Customer Success Testimonial: Recovery is Everything
Gasoline refineries, manufacturing plants and other industrial facilities that rely on computerized control systems could be vulnerable to a security flaw in a popular piece of software that in some cases allows attackers to remotely take control of critical operations and equipment.
The vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. As a result, companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect's SCADA products may be exposing critical operations to outsiders or disgruntled employees, according to Core Security, which discovered the bug.
Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch. In cases where installing a software update is impractical, organizations can implement workarounds.
In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet.
But "in the real world, in real scenarios, that's exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business," said Ivan Arce, CTO of Core. "Those networks in turn may be connected to the internet."
Wireless access points also represent a weak link in the security chain, he said, by connecting to systems that are supposed to be off limits.
It's the second vulnerability Core has found in a SCADA system in as many months. In May, the security company warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down by miscreants. Also last month, the organization that oversees the North American electrical grid took a drubbing by US lawmakers concerned it isn't doing enough to prevent cyber attacks that could cripple the country.
The scrutiny comes as more and more operators try to cut costs and boost efficiency by using SCADA systems to operate equipment using the internet or telephone lines. The technology has its benefits, but it may also make the critical infrastructure vulnerable to cyber attacks by extortionists, disgruntled employees and terrorists.
The flaw in CitectSCADA is related to a lack of proper length-checking that can result in a stack-based buffer overflow. Attackers who send specially crafted data packets can execute malicious code over the vulnerable system, according to Core, maker of the Core Impact penetration testing product. ®
COMMENTS
fushin
As per others comments ,it shouldnt even be near the internet ,as per tiering
and layered security ...security 101 ffs.
Strange how only Citec ( SCADA) has been mentioned over the last few years in SCADA kb's.
To expose major infrastructure with a web server ( as it does ) to external public subnets is actually breaching the laws in some countries and states. {<>}and any admin or manager who allows this should be fired .
These exploits will continue until we stop using the MS c+ development platform as mentioned in the other posts and utilise secure coding principles and platforms.
This scada package unfortunately only runs on the ms os ,and not nux ,apple etc.
@AC, Rodent and Duncan
The petrol companies don't add 5p per litre to the price because their costs go up. They add 5p to the price because they can. Capitalism in full tilt.
Duncan - agree agree w your comments. Assuming Tiered security includes boring things like VLANs - this isn't that tough to implement and payscales assume that network admins know and do this.
ADA is still alive? That's cool. Does anyone know if APL is still around? Someone could write a complete SCADA deployment in one line of APL code. Though it wouldn't sound as catchy as "ADA for SCADA".
When will we learn
Article: "The flaw in CitectSCADA is related to a lack of proper length-checking that can result in a stack-based buffer overflow. "
Sigh. About the millionth time I read about this type of vulnerability. The saddest part is that a solution for these has been known since the 1960's: Use languages that catch array overflows and also do other strict compile- and runtime checking. The people who design systems where failure is not an option, like avionics or space systems know this and use Ada, which was designed with safety in mind. Several other languages with similar safety properties also exist, but C and C++ are not among them. (CitecSCADA was almost certainly implemented in C or C++, like most embedded systems these days).
Such checking cannot of course eliminate all bugs, but at least an overflow turns into a handleable exception or a crash needing a reboot, instead of potentially allowing malicious code execution. Which do you prefer?
Efficiency concerns? Less of a problem that you might think, especially with today's processors. A statically compiled safe language is anyway faster than Java. Smart compilers can also safely eliminate many of the runtime checks when compiling.
IT infrastructure monitoring strategies
What you need to know about cloud backup
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Customer Success Testimonial: Recovery is Everything
