X

U.S. warns of security holes in Chinese SCADA apps

Software employed in critical infrastructure systems in the U.S. and other nations carries security bugs that attackers could take advantage of, says the Department of Homeland Security.

Lance Whitney Contributing Writer
Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books--one on Windows and another on LinkedIn.
See full bio
Lance Whitney
2 min read

Software made by a Chinese company and used around the world by chemical, defense, and energy companies contains security holes that attackers could exploit to hack into critical systems.

In an advisory issued yesterday (PDF), the Department of Homeland Defense warned of two vulnerabilities in software made by Beijing-based Sunway ForceControl (Google Translate English version). The Chinese company makes SCADA (supervisory control and data acquisition) software, which is used in computer systems that control and monitor manufacturing plants and equipment used by different industries.

Discovered by security researcher Dillon Beresford of NSS Labs, the security holes could allow cybercriminals to issue a distributed denial-of-service attack or remotely execute arbitrary code on key systems.

Though Sunway's products are mainly used in China, the advisory reports that the company's software is also "deployed in Europe, the Americas, Asia, and Africa" and "across a wide variety of industries including petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, manufacturing, and others."

Upon learning of the security holes, the DHS's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) contacted Sunway as well as China's National Vulnerability Database (CNVD). In response, Sunway issued two patches designed to fix both of the security holes. Though CNVD has validated the patches, neither ICS-CERT nor NSS Labs have so far done so.

The U.S. has in the past warned about the vulnerability of SCADA systems as a result of security holes exploited in several SCADA applications, especially since this software is used by utilities and other companies that manage critical public infrastructure. Many of these companies are also moving their systems away from an environment in which they were isolated from the Internet to one in which they're directly connected to the Internet, another cause for concern.

ICS-CERT advises owners of control system devices to make sure that these devices are protected behind firewalls and isolated from the overall business network. Further, employees who need remote access should use only secure methods, such as virtual private metworks (VPNs).