US Warns of Problems In Chinese SCADA Software 95
alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."
Re:This may be a stupid question... (Score:4, Interesting)
You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?
In my experience this is how its usually evolved on the networks I've seen
1. Shop floors started off with some proprietary network, not connected to anything else
2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.