Incident Response, TDR, Vulnerability Management

New SCADA buffer overflow flaw revealed

A vulnerability discovered in widely deployed industrial process control software could grant a remote attacker control over critical infrastructure, researchers said on Wednesday.

The bug in CitectSCADA, which was patched last week, is a traditional buffer overflow, said Ivan Arce, chief technology officer of Core Security Technologies, the firm that discovered the flaw several months ago and revealed it Wednesday.

But, although it is patched and there are no known cases of exploitation, the vulnerability could prove to be an ominous sign of the impending threat landscape.

"This type of software and the availability of this software isbecoming more open and prevalent to the general public and the securitycommunity," he said. "Control networks are becoming increasinglyconnected to corporate data networks, which are in turn connected to theinternet."

That means supervisory control and data acquisition (SCADA) software that controls industrial processes, including oil and gas pipelines, chemical plants, assembly lines and power grids, could be in harm's way, he said.

"The impact [of this vulnerability] is that anyone who has the ability to connect to a specificport on the system running the software can actually take control ofthe software," Arce told

The flaw comes on the heels of a similar vulnerability discovery impacting the WonderWare Suite Link, used to automate operations at industrial plants. Arce said more flaws will be discovered in process control software -- long considered protected by obscurity -- as it becomes more interconnected with other business functions.

Process control networks traditionally have been isolated from other more data-intensive and internet-based networks, said Jim White, vice president of critical infrastructure and security at Uniloc, a provider of device-based solutions.

That is changing due to various organizational needs, such as having access to real-time data coming out of the process systems.

"Now rather than having an individual that fills out paperwork, they've interconnected these two systems," White told on Wednesday. "Companies haven't rearchitected their systems and put the controls in that are necessary."

White said SCADA providers such as Citect must conduct vulnerability assessments to detect bugs, especially ones as common as buffer overflows.

"Vulnerability testing should be a part of quality control," he said. "It should be a standard piece, not an afterthought."

A representative from Citect, whose U.S. headquarters is in Georgia, could not be reached for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.