Citect yanks 'misleading' SCADA bug advisory
Are you vulnerable? Only you can know
Citect, a designer of software used by manufacturing plants and other industrial facilities, has removed an advisory that played down a vulnerability in one of its popular pieces of software.
Citect's move followed last week's release of proof-of-concept code that exploited a vulnerability in CitectSCADA, which is used to manage industrial control mechanisms known as SCADA (Supervisory Control And Data Acquisition) systems. The bug meant systems that relied on the software could potentially be exposed to tampering by disgruntled employees or terrorists.
Kevin Finisterre, the director of penetration testing at security firm Netragard, said he released the code because he believed Citect's advisory was misleading customers about the real severity of the bug. Shortly afterward, the document was pulled from Citect's website and replaced with this one, said Adriel Desautels, CTO of Netragard.
"I think the proof-of-concept served its purpose," Desautels said. "I absolutely do commend" Citect for the removal. He said the release, which was folded in to the Metasploit penetration testing tool kit, was intended solely to clear up confusion by helping security professionals determine for themselves whether they were vulnerable to the bug.
Representatives from Citect, which is headquartered in Australia, weren't immediately available to comment. ®
SCADA is normally private
SCADA systems normally run on private networks using VPNs etc to cross the wilds. That makes most proof of concept vulns theoretical rather than practical.
In the old days (1980s, when I dabbled in SCADA) they already had tiered security. People gathering stats for bean counting or system analysis did not have the rights to twiddle knobs. This was more often than not controlled by tiered physical security (only computers in the control room could twiddle) as well as log ons.
Of course an internal hacker could do damage, but then he could also go and throw a physical spanner in the works too.
Slow news day? I'm no huge Citect fan, but seriously? 'Company pulls advice for some better advice?'. Come on. Anyone would think you've got it in for them!
This is an improvement over the previous SCADA article
Dan cited a specific implementation of SCADA software, which makes more sense to me than SCADA itself having vulnerabilities. I think that the previous article's gone through some editing, too.
It's still not clear to me whether this vulnerability is exploitable by folks on the street as such, or by insiders only. This depends on whether there are external access points to the system, I suppose. Pretty easy to mitigate those. Again, I'd be more worried about insiders than external h4x0rs.