Citect Vulnerability Raises Wider Disclosure Issues

Aug. 5, 2008
The Security of Our Customers

Cyber security moved back to the top of the agenda for SCADA system vendors and users last month when security testing specialist Core Security Technologies revealed that it had found a “vulnerability” in Schneider subsidiary Citect’s flagship CitectSCADA product.

Core Security, which claims that its Core Impact product is the world’s most comprehensive enterprise security assurance testing software, has made something of a reputation for itself by publicly disclosing vulnerabilities in popular commercial software, including that from major vendors such as IBM and Microsoft. More recently it appears to have turned its attention to industrial applications, and in May of this year, it revealed that it had found a potential denial-of-service vulnerability in systems using Wonderware SuiteLink prior to version 2.0 Patch 01, although the issue has since been addressed by a Wonderware Tech Alert.

Concerns

Its approach has raised concerns that it could be making such vulnerabilities public before industrial users have been able to neutralize their effect, even when they have been notified of the vendor’s recommended patch or workaround, and could thus be putting industrial installations and utilities, along with their staff, users and the general public, at risk.

According to Core Security’s research arm, CoreLabs, the vulnerability in CitectSCADA could have allowed a remote un-authenticated attacker to use an ODBC server component designed to service requests over TCP/IP networks either to force an abnormal termination of the software or to execute arbitrary code on the system and hence gain complete control of the applications.

Citect said that it believed its SCADA customers were extremely unlikely to be at risk from the vulnerability, so long as their systems were protected by industry-standard security guidelines, and it pointed out that both it and other vendors had for some time been advising users of the potential vulnerabilities of control systems when connected to the internet. Moreover, it suggested that the particular vulnerability identified by Core Security was only relevant to installations using ODBC technology and directly connecting their systems to the internet with no security in place.

Patch

“The security of our customers’ control systems is of paramount importance to us,” said Citect Global CEO Christopher Crowe. “Though we have not had any reports of breaches, we are contacting our customers globally to confirm they have followed recommended network security measures. We have also developed a patch for those companies that might not be able to implement necessary network security measures promptly.”

For its part, Core Security points out that many organizations do have process control networks that are accessible from wireless and wired corporate data networks, which are, in turn, exposed to public networks such as the Internet. “While it is known that SCADA software as a whole was not designed to be accessible over public networks and, therefore, should not be accessible outside of highly isolated process control systems networks, the reality is that most organizations end up with their systems accessible through wireless and wired corporate networks, or even public networks,” said Core Security Technologies CTO Iván Arce. “As such, vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner.”

The company said that as well as notifying the vendor, it had advised the official US, Argentine and Australian Computer Emergency Response Teams of the problem.