Security audit exposes flaw in SCADA software

Boston, Mass. – A security flaw in a popular piece of SCADA software could be exposing the worldís manufacturing plants, gas refineries and industrial facilities to attack.

Core Security Technologies has issued an advisory disclosing a vulnerability that could severely impact organizations relying on Citectís flagship industrial process control software, CitectSCADA. The discovery indicates that thousands of companies using Citectís SCADA systems could unknowingly be exposing critical industrial processes and assets that they otherwise sought to protect if they do not immediately move to apply the vendor-provided patch, or other suggested workarounds for the vulnerability issued by the software maker.
According to CoreLabs, the research arm of Core Security that initially discovered the flaw and reported it to Citect, an attacker could potentially use the vulnerability to gain remote, unauthenticated access to a host system running CitectSCADA. If successfully exploited in this manner, the issue could allow an attacker to subsequently execute arbitrary code on vulnerable systems to take control of operations dependent on the vulnerable software.
Citect, however, maintains that no SCADA, PLC, DCS, RTU or process control networks should ever be exposed unprotected to the Internet. The company says it advises those organizations operating such networks to either isolate the systems from the Internet entirely, or use technologies, including firewalls,to keep them protected from improper external communications.
Despite the fact that nearly all SCADA software makers maintain a similar stance in terms of advising customers to keep the systems walled-off from the Internet, however, the reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet, according to CoreLabs experts.
“While it is known that SCADA software as a whole was not designed to be accessible over public networks and therefore should not be accessible outside of highly isolated process control systems networks, the reality is that most organizations end up with their systems accessible through wireless and wired corporate networks, or even public networks,” says Iv·n Arce, chief technology officer of Core Security Technologies. “As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner.”
For more information on this vulnerability, visit the Core Security website.