Researcher Publishes Industrial Complex Hack

snydeq writes "Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries. The code exploits a flaw in supervisory control and data acquisition software from Citect. The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection. Finisterre, however, sees the issue as indicative of a 'culture clash' between IT and process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime. 'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

Re:Disconnected from reality

[timmarhy]

agreed. the author is just another jerk off attempting to gain some attention by making wild claims about technology he clearly doesn't grasp. most of these control systems are isolated from any network. I think your email example is apt, this isn't a case of process engineers not understanding IT, it's IT that doesn't understand the processes behind the computer systems.

we get it here all the time at work, IT will apply some patch to our systems that wrecks havco on our production and they give some lame justification like "it's needed to protect us from the latest shady website plugin hack" as if the DCS control pc is going to be browsing the fucking web....