Home » Citect Vulnerability Raises Wider Disclosure Issues
Citect Vulnerability Raises Wider Disclosure Issues
By Andrew Bond, Industrial Automation Insider
Cyber security moved back to the top of the agenda for SCADA system vendors and users last month when security testing specialist Core Security Technologies revealed that it had found a “vulnerability” in Schneider subsidiary Citect’s flagship CitectSCADA product.
Core Security, which claims that its Core Impact product is the world’s most comprehensive enterprise security assurance testing software, has made something of a reputation for itself by publicly disclosing vulnerabilities in popular commercial software, including that from major vendors such as IBM and Microsoft. More recently it appears to have turned its attention to industrial applications, and in May of this year, it revealed that it had found a potential denial-of-service vulnerability in systems using Wonderware SuiteLink prior to version 2.0 Patch 01, although the issue has since been addressed by a Wonderware Tech Alert.
Its approach has raised concerns that it could be making such vulnerabilities public before industrial users have been able to neutralize their effect, even when they have been notified of the vendor’s recommended patch or workaround, and could thus be putting industrial installations and utilities, along with their staff, users and the general public, at risk.
According to Core Security’s research arm, CoreLabs, the vulnerability in CitectSCADA could have allowed a remote un-authenticated attacker to use an ODBC server component designed to service requests over TCP/IP networks either to force an abnormal termination of the software or to execute arbitrary code on the system and hence gain complete control of the applications.
Citect said that it believed its SCADA customers were extremely unlikely to be at risk from the vulnerability, so long as their systems were protected by industry-standard security guidelines, and it pointed out that both it and other vendors had for some time been advising users of the potential vulnerabilities of control systems when connected to the internet. Moreover, it suggested that the particular vulnerability identified by Core Security was only relevant to installations using ODBC technology and directly connecting their systems to the internet with no security in place.
“The security of our customers’ control systems is of paramount importance to us,” said Citect Global CEO Christopher Crowe. “Though we have not had any reports of breaches, we are contacting our customers globally to confirm they have followed recommended network security measures. We have also developed a patch for those companies that might not be able to implement necessary network security measures promptly.”
For its part, Core Security points out that many organizations do have process control networks that are accessible from wireless and wired corporate data networks, which are, in turn, exposed to public networks such as the Internet. “While it is known that SCADA software as a whole was not designed to be accessible over public networks and, therefore, should not be accessible outside of highly isolated process control systems networks, the reality is that most organizations end up with their systems accessible through wireless and wired corporate networks, or even public networks,” said Core Security Technologies CTO Iván Arce. “As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner.”
The company said that as well as notifying the vendor, it had advised the official US, Argentine and Australian Computer Emergency Response Teams of the problem.
Great Moments in Process Automation History
Take a broken soda fountain machine, a car a.c. unit, flavor mixes, water and CO2, add inventiveness; you get America’s favorite frozen drink.
Smart Grid: Independent Testing Of Rossi's E-Cat Cold Fusion Device Shows Positive Results
Forbes magazine's tech contributor Mark Gibbs writes that independent testing of Andrea Rossi's E-CAT Cold Fusion Reactor has positive results.The implications of the possible commercialization of cold fusion power sources are incredible.
Compressor Controls: Saudi Aramco Buys First GE Compressor Control Systems
Saudi Aramco has purchased advanced compressor control technology from GE for the Haradh GOSP-1 facility in Saudi Arabia's Eastern Province.
SANS Control Security Training Coming to Houston
SANS Institute will hold ICS Security Training event on June 10-15 in Houston
ISA Training Through June in Houston
Technician training, engineering survival and SIS boot camps for condensed, intense, comprehensive educational experience.
Past Time to Upgrade Your DCS?
Upgrading Your DCS: Why You May Need to Do It Sooner Than You Think
Metso Provides New Heating Solution for Finnish Utility
Finland's largest pellet-fired heating plant produces environmentally friendly energy in Tampere
NIST Releases Initial Cyber Security Framework Comment Analysis
The National Institute for Standards and Technology has released an initial analysis of the hundreds of comments by industry and the public they have received on the Obama Administration's "Improving Critical Infrastructure Cyber Security" executive order.
K-BIM Consortium Selects Siemens' Parasolid for New AEC Applications
-BIM, a consortium of commercial, academic and government organizations wants the new application suite to help create a national standard for building information management (BIM)
Friday p.m. Wrap-Up:This Week on ControlGlobal and Elsewhere
Some of the week's biggest stories in process automation
- All news »
Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.
- Featured White Papers