Core Security released a security
advisory on 11 June that details a fairly pedestrian stack-based buffer
overflow vulnerability. This is similar to hundreds or thousands of this
kind of flaw reported over the years except for one thing: it was found in
large industrial control systems for things like power and water utility
companies. That there is a vulnerability is not surprising—there
are certainly many more—but it does give one pause
about the dangers of connecting these systems to the
The bug was found in a Supervisory Control and Data
Acquisition—better known as SCADA—system and could be
exploited to execute arbitrary code. Given that SCADA systems run much of
the world's infrastructure, an exploit of a vulnerable system could have
severe repercussions. The customers of Citect, the company that makes the
affected systems, include "organizations in the aerospace, food,
manufacturing, oil and gas, and public utilities industries."
Makers of SCADA systems nearly uniformly tell their customers to keep those
systems isolated from the internet. But as Core observes: "the
reality is that many organizations do have their process control networks
accessible from wireless and wired corporate data networks that are in turn
exposed to public networks such as the Internet." So, the potential
for a random internet bad guy to take control of these systems does exist.
None of that should be particularly surprising when you stop to think about
it, but it is worrying. Many SCADA systems—along with various
control systems—were designed and developed long before the internet
started reaching homes and offices everywhere. They were designed for
"friendly" environments, with little or no change for the hostile
environment that characterizes today's internet. Also, as we have seen,
security rarely gets the attention it deserves until some kind of ugly
Even for systems that were designed recently, there are undoubtedly
vulnerabilities, so it is a bit hard to believe that they might be
internet-connected. According to the advisory, though, SCADA makers do not
necessarily require that the systems be physically isolated from the
network, instead customers can "utilize technologies including firewalls
to keep them protected from improper external communications."
Firewalls—along with other security techniques—do provide a
measure of protection, but with the stakes so high, it would seem that more
caution is required. It is probably convenient for SCADA users to be able
to connect to other machines on the LAN, as well as to the internet, but
with that convenience comes quite a risk. Even systems that are just
locally connected could fall prey to a disgruntled employee exploiting a
vulnerability to gain access to systems they normally wouldn't have.
One can envision all manner of havoc that could be wreaked by a malicious
person (or government) who can take over the systems that control nuclear
power plants, enormous gas pipelines, or some chunk of the power grid.
Unfortunately, it will probably take an incident like that to force these
industries into paying as much attention to their computer security as they
do to their physical security.
to post comments)