Areva Inc. - a Paris-based company that serves nuclear, wind, and fossil-fuel power companies - is warning customers to upgrade a key piece of energy management software following the discovery of security bugs that leaves it vulnerable to hijacking.

The vulnerabilities affect multiple versions of Areva's e-terrahabitat package, which allows operators in power plants to monitor gas and electric levels, adjust transmission and distribution devices, and automate other core functions. Areva markets itself as one of the top three global players in the transmission and distribution of energy.

A swarm of buffer overflow and denial-of-service bugs makes versions 5.5, 5.6, and 5.7 of e-terrahabitat susceptible to tampering, the US Computer Emergency Readiness Team warns here. Customers using earlier versions need to upgrade as well.

"An unauthenticated attacker may be able to gain access with the privileges of the e-terrahabitat account or an administrator account and execute arbitrary commands, or cause a vulnerable system to crash," CERT's advisory states. Users should apply the patch immediately, it adds.

The warning is the latest to affect so-called SCADA, or supervisory control and data acquisition, software used to control valves and switches at manufacturing plants, power generators, and gasoline refineries throughout the world. In theory, such bug shouldn't pose much risk, because SCADA systems and other critical industrial controls should never be exposed to the internet.

Indeed, a spokesman at Areva's Maryland outpost suggested Thursday that the vulnerabilities like the ones included in the advisory didn't amount to much of a threat.

"Computers used at nuclear power plants are not connected to the internet and therefore they're not vulnerable to viruses of any kind," he said.

But in the real world, there's plenty of ways vulnerable SCADA systems could be exploited. As plants struggle to cut costs, they frequently turn to SCADA to manage systems remotely, over telephone lines or private networks. Corporations also connect SCADA systems to their data networks to collect data, and those networks are sometimes connected to the internet, some security experts have said.

CERT used the advisory as an opportunity to remind administrators about the benefits of using network perimeter access controls to reduce their exposure to attacks. Among the resources available: signatures based on the Snort network intrusion detection system offered by the Department of Homeland Security and available through Areva.

Areva credited Eyal Udassin and Jonathan Afek of C4 Security with discovering some of the vulnerabilities. Idaho National Labs and the Department of Homeland Security's Control Systems Security Program were also cited. ®