SCADA security bug exposes world's critical infrastructure The Register: "Gasoline refineries, manufacturing plants and other industrial facilities that rely on computerized control systems could be vulnerable to a security flaw in a popular piece of software that in some cases allows attackers to remotely take control of critical operations and equipment.
The vulnerability resides in CitectSCADA, a software product used to manage industrial control mechanisms known as SCADA, or Supervisory Control And Data Acquisition, systems. As a result, companies in the aerospace, food, manufacturing and petroleum industries that rely on Citect's SCADA products may be exposing critical operations to outsiders or disgruntled employees, according to Core Security, which discovered the bug.
Citect and Computer Emergency Response Teams (CERTs) in the US, Argentina and Australia are urging organizations that rely on CitectSCADA to contact the manufacturer to receive a patch. In cases where installing a software update is impractical, organizations can implement workarounds.
In theory, the bug should be of little consequence, since there is general agreement that SCADA systems, remote terminal units and other critical industrial controls should never be exposed to the internet.
But 'in the real world, in real scenarios, that's exactly what happens, because corporate data networks need to connect to SCADA systems to collect data that's relevant to running the business,' said Ivan Arce, CTO of Core. 'Those networks in turn may be connected to the internet.'" ...