US Warns of Problems In Chinese SCADA Software

alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."

Anyone surprised?

[Opportunist]

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

Re:Anyone surprised?

[barik]

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.

Idiots

[sycodon]

Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

Re:This may be a stupid question...

[Silverhammer]

Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.

Re:Newsflash: Vulnerabilities on software

The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.

Re:I've said it before and I'll say it again

[RatPh!nk]

I didn't realize the source was sh*tty (i still have no idea who or what rense is) it happened to be the first 2 or so hits on Google. However this is established that Israel spies on the US just as much, if not more than anyone. If different sources make you feel better:

http://en.wikipedia.org/wiki/Lawrence_Franklin_espionage_scandal http://www.alternet.org/world/130891/breaking_the_taboo_on_israel's_spying_efforts_on_the_united_states/
http://www.msnbc.msn.com/id/24256527/ns/us_news-security/t/american-charged-giving-secrets-israel/

You could list *any* country here. No need to get your vagina's up in arms because someone said something bad about Israel. The point was China is just the next in a long line of countries spying. Now, it might be much worse given how much they make for the US.