Feeds

World's electrical grids open to attack

Scads of SCADA bugs

Choosing a cloud hosting partner with confidence

A serious vulnerability has been found in yet another computerized control system that runs some of the world's most critical infrastructure, this time in a product sold by a vendor known as the ABB Group.

According to researchers from C4 - a firm specializing in the security of so-called SCADA, or Supervisory Control And Data Acquisition, systems - ABB's Process Communication Unit (PCU) 400 suffers from a critical buffer overflow bug.

"The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker," researcher Idan Ofrat wrote in this advisory published on Thursday. "In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware...in order to cause harm to the grid."

The vulnerable software controls critical national infrastructure, including electrical grids. The vulnerability affects versions 4.4, 4.5, and 4.6, and possibly others, the C4 advisory warns.

ABB has issued a patch for the bug.

The advisory comes as concern mounts about the safety of software used to run gasoline refineries, manufacturing plants and other industrial facilities. In June, a now-patched vulnerability in CitectSCADA potentially exposed plants' critical operations to outsiders or disgruntled employees. Law makers on both sides of the Atlantic have warned that lax security may make critical infrastructure vulnerable to saboteurs or terrorists.

C4 is no stranger to security in SCADA systems. In January, it warned of vulnerabilities in two products made by Ge Fanuc. One of them resided in Ge Fanuc's Cimplicity product, and the other affected the company's Proficy Information Portal 2.6. Both appear to have have been patched. ®

Remote control for virtualized desktops

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Managing SSL certificates with ease
The lack of operational efficiencies and compliance pitfalls associated with poor SSL certificate management, and how the right SSL certificate management tool can help.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.