New SCADA buffer overflow flaw revealed

Share this article:
A vulnerability discovered in widely deployed industrial process control software could grant a remote attacker control over critical infrastructure, researchers said on Wednesday.

The bug in CitectSCADA, which was patched last week, is a traditional buffer overflow, said Ivan Arce, chief technology officer of Core Security Technologies, the firm that discovered the flaw several months ago and revealed it Wednesday.

But, although it is patched and there are no known cases of exploitation, the vulnerability could prove to be an ominous sign of the impending threat landscape.

"This type of software and the availability of this software is becoming more open and prevalent to the general public and the security community," he said. "Control networks are becoming increasingly connected to corporate data networks, which are in turn connected to the internet."

That means supervisory control and data acquisition (SCADA) software that controls industrial processes, including oil and gas pipelines, chemical plants, assembly lines and power grids, could be in harm's way, he said.

"The impact [of this vulnerability] is that anyone who has the ability to connect to a specific port on the system running the software can actually take control of the software," Arce told

The flaw comes on the heels of a similar vulnerability discovery impacting the WonderWare Suite Link, used to automate operations at industrial plants. Arce said more flaws will be discovered in process control software -- long considered protected by obscurity -- as it becomes more interconnected with other business functions.

Process control networks traditionally have been isolated from other more data-intensive and internet-based networks, said Jim White, vice president of critical infrastructure and security at Uniloc, a provider of device-based solutions.

That is changing due to various organizational needs, such as having access to real-time data coming out of the process systems.

"Now rather than having an individual that fills out paperwork, they've interconnected these two systems," White told on Wednesday. "Companies haven't rearchitected their systems and put the controls in that are necessary."

White said SCADA providers such as Citect must conduct vulnerability assessments to detect bugs, especially ones as common as buffer overflows.

"Vulnerability testing should be a part of quality control," he said. "It should be a standard piece, not an afterthought."

A representative from Citect, whose U.S. headquarters is in Georgia, could not be reached for comment.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

ISSA tackles workforce gap with career lifecycle program

ISSA tackles workforce gap with career lifecycle program ...

On Thursday, the group launched its Cybersecurity Career Lifecycle (CSCL) program.

Amplification DDoS attacks most popular, according to Symantec

Amplification DDoS attacks most popular, according to Symantec

The company noted in a whitepaper released on Tuesday that Domain Name Server amplification attacks have increased 183 percent between January and August.

Court shutters NY co. selling security software with "no value"

A federal court shut down Pairsys at the request of the Federal Trade Commission.