Feeds

World's power grids infested with (more) SCADA bugs

Swarm overtakes e-terrahabitat

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

Areva Inc. - a Paris-based company that serves nuclear, wind, and fossil-fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.

The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

A swarm of buffer overflow and denial-of-service bugs makes versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering, the US Computer Emergency Readiness Team warns here. Customers using earlier versions need to upgrade as well.

"An unauthenticated attacker may be able to gain access with the privileges of the e-terrahabitat account or an administrator account and execute arbitrary commands, or cause a vulnerable system to crash," CERT's advisory states. Users should apply the patch immediately, it adds.

The warning is the latest to affect so-called SCADA, or supervisory control and data acquisition, software used to control valves and switches at manufacturing plants, power generators, and gasoline refineries throughout the world. In theory, such bug shouldn't pose much risk, because SCADA systems and other critical industrial controls should never be exposed to the internet.

Indeed, a spokesman at Areva's Maryland outpost suggested Thursday that the vulnerabilities like the ones included in the advisory didn't amount to much of a threat.

"Computers used at nuclear power plants are not connected to the internet and therefore they're not vulnerable to viruses of any kind," he said.

But in the real world, there's plenty of ways vulnerable SCADA systems could be exploited. As plants struggle to cut costs, they frequently turn to SCADA to manage systems remotely, over telephone lines or private networks. Corporations also connect SCADA systems to their data networks to collect data, and those networks are sometimes connected to the internet, some security experts have said.

CERT used the advisory as an opportunity to remind administrators about the benefits of using network perimeter access controls to reduce their exposure to attacks. Among the resources available: signatures based on the Snort network intrusion detection system offered by the Department of Homeland Security and available through Areva.

Areva credited Eyal Udassin and Jonathan Afek of C4 Security with discovering some of the vulnerabilities. Idaho National Labs and the Department of Homeland Security's Control Systems Security Program were also cited. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.