San Francisco: Attackers could gain control of countries’ water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs such facilities, security researchers reported on Wednesday.
Experts with Boston-based Core Security Technologies, who discovered the deficiency, said there is no evidence anyone else found or exploited the flaw.
Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment, or cause a nuclear power plant to malfunction by attacking the utility’s controls.
Citect Pty. Ltd, which makes the software programme called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.
But the vulnerability could have counterparts in other supervisory control and data acquisition, or Scada, systems.
Scada systems remotely manage computers that control machinery, including systems at nuclear power plants.
Customers that use CitectScada include natural gas pipelines in Chile, copper and diamond mines in Australia and Botswana, and a pharmaceutical plant in Germany.
For an attack involving the vulnerability that Core Security revealed to occur, the target network would have to be connected to the Internet. That goes against industry policy but does happen when companies have lax security measures, such as connecting control systems’ computers and computers with Internet access to the same routers.
The Citect vulnerability, called a “buffer overflow,” allows a hacker to gain control of a programme by sending a computer too much data.
“It’s not a very elaborate problem,” Ivan Arce, Core Security’s chief technology officer, said in an interview. “If we found this thing—and this was not that hard—it would be easy for someone else to do it.”
Citect representatives did not return calls for comment. The company said that customers should isolate their Scada systems entirely from the Internet or take other steps to prevent their systems from talking to the outside world.
Control systems are increasingly vulnerable to Internet-borne threats, since viruses and worms have disrupted service in power plants, automobile factories and gasoline pipelines—even when those facilities were not targeted.
Alan Paller, director of research for the SANS Institute, which operates an early computer attack warning system, said Core Security Technologies’ discovery shows many facilities may remain vulnerable. “It dashes the defence of, ‘We’re different, we don’t have that kind of problem.’”