Netragard researcher praises Citect response to vulnerability revelation

Sept. 24, 2008

From Kevin Finisterre at Netragard:

This is a mass emailing....The information surrounding the Citect issue that Netragard has found is considered public information as far as I know.

From Kevin Finisterre at Netragard:

This is a mass emailing....The information surrounding the Citect issue that Netragard has found is considered public information as far as I know.

Latest News, Security Update - Internet Display, Clients Using FTP, 23 September 2008, Citect has released security guidance relating to the use of the File Transfer Protocol (FTP) capability in CitectSCADA software to configure Internet Display Client (IDC) functionality.

http://www.citect.com/documents/idcftp-response.pdfhttp://knowledgebase.citect.com/SafetyandSecurity/article.aspx?id=1001

Timeline:August 21, 2008 Ask SCADASEC mailing list for Citect contactsAugust 21, 2008 I mailed Citect (based on some contacts that were given to me by Walt Boyes and Ron Southworth via SCADASEC) about an issue I had found.

August 21, 2008 Majella Nollan responded and started the process...

Pretty much one month later... they have a pretty nice response written up.After the initial contact was made I would say that the process was pretty kick ass. Majella spearheaded putting me in touch with a few people, she also set up a nice conf call with here engineers. All in all several emails were exchanged and a few calls made. There were definitely on top of things this time, based on conversations we had it seemed as if they had been doing some internal changes to their procedures.

-KF

Sponsored Recommendations

IEC 62443 4-1 Cyber Certification – Why ML 3 is So Important

The IEC 62443 Security for Industrial Automation and Control Systems - Part 4-1: Secure Product Development Lifecycle Requirements help increase resilience for control systems...

Multi-Server SCADA Maintenance Made Easy

See how the intuitive VTScada Services Page ensures your multi-server SCADA application remains operational and resilient, even when performing regular server maintenance.

Your Industrial Historical Database Should be Designed for SCADA

VTScada's Chief Software Architect discusses how VTScada's purpose-built SCADA historian has created a paradigm shift in industry expectations for industrial redundancy and performance...

Linux and SCADA – What You May Not Have Considered

There’s a lot to keep in mind when considering the Linux® Operating System for critical SCADA systems. See how the Linux security model compares to Windows® and Mac OS®.