Feeds

World's power grids infested with (more) SCADA bugs

Swarm overtakes e-terrahabitat

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Areva Inc. - a Paris-based company that serves nuclear, wind, and fossil-fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.

The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

A swarm of buffer overflow and denial-of-service bugs makes versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering, the US Computer Emergency Readiness Team warns here. Customers using earlier versions need to upgrade as well.

"An unauthenticated attacker may be able to gain access with the privileges of the e-terrahabitat account or an administrator account and execute arbitrary commands, or cause a vulnerable system to crash," CERT's advisory states. Users should apply the patch immediately, it adds.

The warning is the latest to affect so-called SCADA, or supervisory control and data acquisition, software used to control valves and switches at manufacturing plants, power generators, and gasoline refineries throughout the world. In theory, such bug shouldn't pose much risk, because SCADA systems and other critical industrial controls should never be exposed to the internet.

Indeed, a spokesman at Areva's Maryland outpost suggested Thursday that the vulnerabilities like the ones included in the advisory didn't amount to much of a threat.

"Computers used at nuclear power plants are not connected to the internet and therefore they're not vulnerable to viruses of any kind," he said.

But in the real world, there's plenty of ways vulnerable SCADA systems could be exploited. As plants struggle to cut costs, they frequently turn to SCADA to manage systems remotely, over telephone lines or private networks. Corporations also connect SCADA systems to their data networks to collect data, and those networks are sometimes connected to the internet, some security experts have said.

CERT used the advisory as an opportunity to remind administrators about the benefits of using network perimeter access controls to reduce their exposure to attacks. Among the resources available: signatures based on the Snort network intrusion detection system offered by the Department of Homeland Security and available through Areva.

Areva credited Eyal Udassin and Jonathan Afek of C4 Security with discovering some of the vulnerabilities. Idaho National Labs and the Department of Homeland Security's Control Systems Security Program were also cited. ®

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.