Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Warns of Problems In Chinese SCADA Software

Posted by Soulskill on from the not-for-use-in-nuclear-reactors-at-home dept.

alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."

10 of 95 comments (clear)

  1. I've said it before and I'll say it again by Anonymous Coward · · Score: 0, Insightful

    You can't trust the Chinese.

    1. Re:I've said it before and I'll say it again by RatPh!nk · · Score: 3, Insightful

      No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest espionage ring yet uncovered rigth here in the US of A?

      --
      Argh. The laws of science be a harsh mistress.
  2. Idiots by sycodon · · Score: 4, Insightful

    Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

    --
    When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
  3. Newsflash: Vulnerabilities on software by guanxi · · Score: 2, Insightful

    Is this news? Whatever software you are using has vulnerabilities.

    So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.

    1. Re:Newsflash: Vulnerabilities on software by Anonymous Coward · · Score: 4, Insightful

      The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.

    2. Re:Newsflash: Vulnerabilities on software by Intrepid+imaginaut · · Score: 2, Insightful

      Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.

  4. Re:This may be a stupid question... by Silverhammer · · Score: 5, Insightful

    Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.

  5. Re:Anyone surprised? by barik · · Score: 4, Insightful

    I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

    I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.

    --
    Titus Barik
  6. Re:Anyone surprised? by Opportunist · · Score: 1, Insightful

    Yeah. I mean, Siemens is a German company, and we would never expect that from the Germans. It's not like they ever started a war, China on the other hand...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:Anyone surprised? by bell.colin · · Score: 2, Insightful

    The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.

    DISCONNECT THE DAMN THINGS FROM THE INTERNET!

    If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?