U.S. warns of more SCADA software holes

Cybersecurity officials are busy issuing warnings as researchers keep disclosing new holes in software used to manage systems at utilities and other industrial plants.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read

Flaws in SCADA software, used to monitor and control sensors and operations at utilities and other critical infrastructure facilities, seem to keep coming out of the woodwork:

• Last week, the U.S. ICS-CERT (Industrial Control System Computer Emergency Response Team) issued several advisories about vulnerabilities exposed in SCADA (supervisory control and data acquisition) software. One was in an ActiveXcontrol in WellinTech KingView V6.53 human machine interface (HMI) software used in power, water, and aerospace industries, mostly in China. The researcher publicly released exploit code for the hole and the vendor released an update that resolves the problem. The second vulnerability was reported in Progea's Movicon 11 HMI product, used primarily in Italy. It too has been patched.

• Also last week, a Russian firm released exploits targeting 11 unpatched, or zero-day, holes in SCADA software, which The Register was first to report.

• Three days ago, an Italian researcher publicly released information on dozens of unpatched holes in four different products and released exploits for targeting them. The move prompted an ICS-CERT warning.

• On Tuesday, Spanish researcher Ruben Santamarta told the BugTraq e-mail list that he had found flaws in BroadWin WebAccess, a Web browser-based HMI product from Advantech that ICS-CERT says is used in energy and other industries in North America, Asia, North Africa and the Middle East. Santamarta released details of the vulnerability and exploit code and ICS-CERT issued an alert.

• And yesterday, ICS-CERT released yet another advisory, this one warning about a SQL (Structured Query Language) vulnerability in the Ecava IntegraX or HMI product that could allow data leakage or manipulation as well as remote code execution on the backend host running the database service. Ecava has developed a patch for the hole.

Security problems with software used to monitor and control systems in the electric grid, refineries, gas pipelines, and other critical operations are moving to the forefront as the industries adopt Web-based technologies and connect previously isolated networks to the Internet.

"What is the acceptable tolerable level for security with industrial control systems? We don't know," Mike Ahmadi, co-founder of consultancy GraniteKey told CNET. "Systems have been isolated from the outside world...It's a very significant change we're going through right now."

While the SCADA bug reports appear to be accelerating, it's unclear if any of the vulnerabilities have been used in attacks on working plants or systems. However, last year the threat became reality with Stuxnet, sophisticated and multipronged attack targeting specific Siemens software used in industrial control operations that experts said appeared to be directed at nuclear facilities in Iran.