Slashdot Mirror

← Back to Stories (view on slashdot.org)

US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Posted by timothy on from the oh-just-a-little-infrastructure-is-all dept.

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

2 of 87 comments (clear)

  1. Controls are a different Beast... by Rogue974 · · Score: 4, Interesting

    I am a Controls Engineer and work with HMI interfaces everyday.

    We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

    Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

    It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

    1. Re:Controls are a different Beast... by anchovy_chekov · · Score: 4, Interesting

      You're a very lucky engineer. Back when I was involved in process control - happy days I'm trying to get back to with http://xpca.org/ - so many engineering depts. were under budgetary and business-political pressure to merge their networks with the corporate network and hand over control of the their systems to the better-budgeted (and more politically savvy) IT departments.

      It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.

      I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"

      Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.