New SCADA buffer overflow flaw revealed
The bug in CitectSCADA, which was patched last week, is a traditional buffer overflow, said Ivan Arce, chief technology officer of Core Security Technologies, the firm that discovered the flaw several months ago and revealed it Wednesday.
But, although it is patched and there are no known cases of exploitation, the vulnerability could prove to be an ominous sign of the impending threat landscape.
"This type of software and the availability of this software is becoming more open and prevalent to the general public and the security community," he said. "Control networks are becoming increasingly connected to corporate data networks, which are in turn connected to the internet."
That means supervisory control and data acquisition (SCADA) software that controls industrial processes, including oil and gas pipelines, chemical plants, assembly lines and power grids, could be in harm's way, he said.
"The impact [of this vulnerability] is that anyone who has the ability to connect to a specific port on the system running the software can actually take control of the software," Arce told SCMagazineUS.com.
The flaw comes on the heels of a similar vulnerability discovery impacting the WonderWare Suite Link, used to automate operations at industrial plants. Arce said more flaws will be discovered in process control software -- long considered protected by obscurity -- as it becomes more interconnected with other business functions.
Process control networks traditionally have been isolated from other more data-intensive and internet-based networks, said Jim White, vice president of critical infrastructure and security at Uniloc, a provider of device-based solutions.
That is changing due to various organizational needs, such as having access to real-time data coming out of the process systems.
"Now rather than having an individual that fills out paperwork, they've interconnected these two systems," White told SCMagazineUS.com on Wednesday. "Companies haven't rearchitected their systems and put the controls in that are necessary."
White said SCADA providers such as Citect must conduct vulnerability assessments to detect bugs, especially ones as common as buffer overflows.
"Vulnerability testing should be a part of quality control," he said. "It should be a standard piece, not an afterthought."
A representative from Citect, whose U.S. headquarters is in Georgia, could not be reached for comment.