Thanks to Marcus Sachs for pointing me to this one---WB
In my view, this raises several questions. Why, again (remember, Core accused Wonderware of dilatory response just a couple of months ago) did Citect take five months to fix the problem? Why did Core go to the Associated Press? Does Core have an ethical problem with doing that? Advertising your services by outing people and companies you call bad actors -- how do you all feel about the ethics of what Core did?
Security hole exposes utilities to Internet attackBy JORDAN ROBERTSON
AP Technology Writer
SAN FRANCISCO (AP) -- Attackers could gain control of water treatment
plants, natural gas pipelines and other critical utilities because of a
vulnerability in the software that runs some of those facilities,
security researchers reported Wednesday.
Experts with Boston-based Core Security Technologies, who discovered the
deficiency and described it exclusively to The Associated Press before
they issued a security advisory, said there's no evidence anyone else
found or exploited the flaw.
Citect Pty. Ltd., which makes the program called CitectSCADA, patched
the hole last week, five months after Core Security first notified
Citect of the problem.
But the vulnerability could have counterparts in other so-called
supervisory control and data acquisition, or SCADA, systems. And it's
not clear whether all Citect clients have installed the patch.
SCADA systems remotely manage computers that control machinery,
including water supply valves, industrial baking equipment and security
systems at nuclear power plants.
Customers that use CitectSCADA include natural gas pipelines in Chile,
major copper and diamond mines in Australia and Botswana, a large
pharmaceutical plant in Germany and water treatment plants in Louisiana
and North Carolina.
For an attack involving the vulnerability that Core Security revealed
Wednesday to occur, the target network would have to be connected to the
Internet. That goes against industry policy but does happen when
companies have lax security measures, such as connecting control
systems' computers and computers with Internet access to the same
routers.
A rogue employee could also access the system internally.
Security experts say the finding highlights the possibility that hackers
could cut the power to entire cities, poison a water supply by
disrupting water treatment equipment, or cause a nuclear power plant to
malfunction by attacking the utility's controls.
That possibility has grown in recent years as more of those systems are
connected to the Internet.
The Citect vulnerability is of a common type. Called a "buffer
overflow," it allows a hacker to gain control of a program by sending a
computer too much data.
"It's not a very elaborate problem," Ivan Arce, Core Security's chief
technology officer, said in an interview. "If we found this thing - and
this was not that hard - it would be easy for someone else to do it."
Citect is a subsidiary of French power-equipment giant Schneider
Electric SA. Company representatives did not return repeated calls for
comment.
Citect said in a statement included in Core Security's advisory that
customers should isolate their SCADA systems entirely from the Internet
or make sure they use firewalls and other technologies to prevent the
systems from talking to the outside world.
Normally, the facilities that use SCADA systems fix flaws privately and
very little is revealed publicly about any problems.
What's clear is that such control systems are increasingly vulnerable to
Internet-borne threats, since viruses and worms have disrupted service
in power plants, automobile factories and gasoline pipelines - even when
those facilities weren't targeted.
Alan Paller, director of research for the SANS Institute, which operates
the Internet Storm Center, an early warning system for computer attacks,
said Core Security Technologies' discovery shows many major facilities
may remain vulnerable.
"It dashes the defense of, 'We're different, we don't have that kind of
problem,'" Paller said. "That's why this is significant."
(c) 2008 The Associated Press. All rights reserved.
____________________________