The Register® — Biting the hand that feeds IT

Feeds

Citect yanks 'misleading' SCADA bug advisory

Are you vulnerable? Only you can know

Customer Success Testimonial: Recovery is Everything

Citect, a designer of software used by manufacturing plants and other industrial facilities, has removed an advisory that played down a vulnerability in one of its popular pieces of software.

Citect's move followed last week's release of proof-of-concept code that exploited a vulnerability in CitectSCADA, which is used to manage industrial control mechanisms known as SCADA (Supervisory Control And Data Acquisition) systems. The bug meant systems that relied on the software could potentially be exposed to tampering by disgruntled employees or terrorists.

Kevin Finisterre, the director of penetration testing at security firm Netragard, said he released the code because he believed Citect's advisory was misleading customers about the real severity of the bug. Shortly afterward, the document was pulled from Citect's website and replaced with this one, said Adriel Desautels, CTO of Netragard.

"I think the proof-of-concept served its purpose," Desautels said. "I absolutely do commend" Citect for the removal. He said the release, which was folded in to the Metasploit penetration testing tool kit, was intended solely to clear up confusion by helping security professionals determine for themselves whether they were vulnerable to the bug.

Representatives from Citect, which is headquartered in Australia, weren't immediately available to comment. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Latest Comments

SCADA is normally private

SCADA systems normally run on private networks using VPNs etc to cross the wilds. That makes most proof of concept vulns theoretical rather than practical.

In the old days (1980s, when I dabbled in SCADA) they already had tiered security. People gathering stats for bean counting or system analysis did not have the rights to twiddle knobs. This was more often than not controlled by tiered physical security (only computers in the control room could twiddle) as well as log ons.

Of course an internal hacker could do damage, but then he could also go and throw a physical spanner in the works too.

0
0

Pah

Slow news day? I'm no huge Citect fan, but seriously? 'Company pulls advice for some better advice?'. Come on. Anyone would think you've got it in for them!

0
0

This is an improvement over the previous SCADA article

Dan cited a specific implementation of SCADA software, which makes more sense to me than SCADA itself having vulnerabilities. I think that the previous article's gone through some editing, too.

It's still not clear to me whether this vulnerability is exploitable by folks on the street as such, or by insiders only. This depends on whether there are external access points to the system, I suppose. Pretty easy to mitigate those. Again, I'd be more worried about insiders than external h4x0rs.

0
0

More from The Register

 breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
 breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
 breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
 breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
 breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats