Security Bug Exposes World’s Critical Infrastructure

Many of the world’s gasoline refineries, manufacturing plants and industrial facilities rely on computerized control systems known as SCADA (Supervisory Control and Data Acquisition). But a security flaw in a popular piece of software could leave the world’s critical infrastructure up for grabs.

In an article on the Register website, Dan Goodin says the vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms. The result? Companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect’s SCADA products may be exposing critical operations to outsiders or disgruntled employees.

The bug was discovered by a company called Core Security. Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch.

“In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet,” Goodin says.

But “that’s exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business,” Ivan Arce, CTO of Core Security, told Goodin. “Those networks in turn may be connected to the internet.”

It’s the second vulnerability Core has found in a SCADA system in as many months. In May, the security company warned of a flaw in monitoring software known as InTouch SuiteLink that put power plants at risk of being shut down by miscreants.