SCADA vulnerability could take down process control systems
1 min read
Thousands of users of the CitectSCADA process control system are being warned to apply Citect’s software patch immediately, to avoid exposure of their controlled systems to attack.
The advice comes from Core Security Technologies, which discovered the vulnerability, which means that attackers could gain remote, unauthenticated access to a host system running the software.
Iván Arce, Core Security Technologies CTO, says that if successfully exploited in this manner, the issue could allow an attacker to execute arbitrary code on vulnerable systems to take control of operations.
“While it is known that SCADA software as a whole was not designed to be accessible over public networks, and therefore should not be accessible outside of highly isolated process control systems networks, the reality is that most organisations end up with their systems accessible through wireless and wired corporate networks, or even public networks,” he warns.
“As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology – and both the vendor and user organisations should be diligent and address them in a timely manner.”
Citect’s security update for the issue – which is available from the vendor upon request – offers users the option of disabling ODBC (open database connectivity), or automatically discarding malformed ODBC packets that may be used to exploit the vulnerability.
Citect – like most SCADA (supervisory control and data acquisition) software developers – also maintains that no SCADA, PLC, DCS, RTU or process control networks should ever be exposed unprotected to the Internet.
Rather, the company advises that manufacturers operating such networks should either isolate the systems from the Internet entirely, or utilise technologies, such as firewalls, to keep them protected.
However, manufacturing users investigating the latter approach need to be aware of the limits of commercial firewall systems when it comes to their applications with industrial control systems – as well as the problems with providing timely patches to discovered vulnerabilities that aren’t themselves going to risk causing control problems.
Best advice is to talk to your process control system vendor, and, if you must use remote communications via public networks – even VPNs – consider security systems from specialists such as Innominate.
