US Warns of Problems In Chinese SCADA Software 95
alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."
I've said it before and I'll say it again (Score:0, Insightful)
Idiots (Score:5, Insightful)
Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.
Re:I've said it before and I'll say it again (Score:3, Insightful)
No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest [rense.com] espionage [rense.com] ring yet uncovered rigth here in the US of A?
Newsflash: Vulnerabilities on software (Score:3, Insightful)
Is this news? Whatever software you are using has vulnerabilities.
So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.
Re:This may be a stupid question... (Score:5, Insightful)
Re:Anyone surprised? (Score:5, Insightful)
I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.
I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.
Re:Newsflash: Vulnerabilities on software (Score:4, Insightful)
The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.
Re:Newsflash: Vulnerabilities on software (Score:3, Insightful)
Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.
Re:Anyone surprised? (Score:2, Insightful)
Yeah. I mean, Siemens is a German company, and we would never expect that from the Germans. It's not like they ever started a war, China on the other hand...
Re:Anyone surprised? (Score:2, Insightful)
The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.
DISCONNECT THE DAMN THINGS FROM THE INTERNET!
If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?