Systems that control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could cause a system takeover, according to a recent research report.
Researchers on March 21 announced that the systems which control dams, oil refineries, railroads and nuclear power plants have a vulnerability that could be used to cause a denial of service or a system takeover.
The flaw, reported by Neutralbit , is the first remotely exploitable SCADA security vulnerability, according to the security services provider. SCADA (supervisory control and data acquisition) is a large-scale, distributed measurement and control system used to monitor or control chemical or transport processes in municipal water supply systems, to control electric power generation, transmission and distribution, gas and oil pipelines and other distributed processes. Wikipedia has a schematic of SCADA
here.
Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.
Neutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published
five vulnerabilities having to do with OPC.
This isn't the first time that this vital bit of national infrastructure has gotten a black eye. Errata President Robert Graham published a scathing report last year titled "SCADA Security and Terrorism: We're Not Crying Wolf." In that report and in his more recent blog , he called SCADA "completely open to attack, especially OPC."
Graham described the OPC Windows applications as being used to translate between Windows primitives such as MS-RPC/DCOM to back-end protocols that do the actual monitoring and controlling of switches, valves, pressure gauges, thermometers, and so forth.
"These backend protocols are often based upon standards that pre-date Windows," Graham wrote in his blog. "They are horribly insecure because few people in the SCADA industry know what a 'buffer-overflow' is."
Graham said that it took him all of five minutes to find a remotely exploitable bug when he downloaded sample implementations from the OPC Foundation a few years ago.
Graham said that the real problem isn't vulnerabilities but the fact that OPC installations are normally run without authentication such as a username and password. " - That - means a hacker can control them without having to mess around with things like buffer overflows," he wrote.
If proper authentication and encryption are in fact enabled, a hacker can't actually remotely exploit OPC installations without first logging on, Graham said. This is the case with the vulnerability reported by Neutralbit, he said: "It's only exploitable if the user has login privileges."
In fact, Graham said, he doesn't believe that many SCADA organizations will take this recent vulnerability warning seriously because they know that since their systems are already wide open to attack, patching them against this bug won't stop a hacker.
"That would be wrong," Graham said. "First, there is the possibility of - a - worm exploiting these bugs. Second, at some point the SCADA industry is going to have to catch up with the rest of the world with regards to securing their products.
"Neutralbit has done an excellent job of explaining to you potential problems with OPC, but they've also explained them to hackers and cyber-terrorists. Any kid who wants to prove he's a vulnerability hunter now knows he can go onto eBay, get some cheap OPC products, find vulnerabilities in them, and announce them to the world."
Graham says there's a "good chance that many more OPC vulnerabilities will be announced and/or exploited in the next couple years."
NETxAutomation has addressed the flaw by releasing version 3.0.1300 of the NETxEIB OPC Server. The company has also released a patch for NETxEIB OPC Server version 3.0. US-Cert recommends restricting remote access to the server to only trusted hosts by using firewalls or only connecting them to private networks, until a fixed version of the server can be deployed.
According to its Web site , Neutralbit has issued the vulnerability disclosure in collaboration with US-CERT - whose advisory is here - and the affected vendors.
Copyright 2007 by Ziff Davis Media, Distributed by United Press International
Related stories:
SEMATECH and Synopsys to Develop Advanced OPC Models For 45 nm and Below Immersion Lithography
Synopsys, Inc. and SEMATECH today announced a joint program to develop advanced optical proximity correction (OPC) models that will enable the extension of optical lithography.
Tidal Challenges Dominant Job Schedulers
Tidal Software on April 23 will step up its challenge to the dominant players in the job-scheduling market when it launches the next major release of its Tidal Enterprise Scheduler. Tidal, historically a Windows-based, job-scheduling provider, brought its brand of automation for scheduling batch processing jobs to IBM z/OS mainframe environments, completing its quest to support a broad range of platforms.
Movies shed new light on how nerves are wrapped
Much like the electrical wiring in your house, the nerves in your body need to be completely covered by a layer of insulation to work properly.
IMEC demonstrates feasibility of double patterning immersion litho for 32nm node
IMEC showed in collaboration with ASML the potential of double patterning 193nm immersion lithography at 1.2NA for 32nm node Flash and logic.
Sematech Advances Feasibility of 193 nm Immersion Lithography for 45 nm
Sematech researchers have successfully used 193 nm immersion technology (193i) at 1.3 numerical aperture (NA) with azimuthal polarization to pattern features narrower than 45 nm half-pitch in multiple orientations simultaneously. Azimuthal polarization allows for aggressive imaging of arbitrary circuit features beyond simple line-and-space test patterns.
Magma's QuickCap NX Sets New Standard in Parasitic Capacitance Extraction for 90nm Designs
Magma Design Automation Inc., a provider of chip design solutions, today announced QuickCap NX, an enhanced version of its gold-standard QuickCap parasitic capacitance extraction tool. The key capabilities that have been added allow the tool to better address design challenges that occur in 90-
nanometer (nm) and smaller process technologies. With advanced new process modeling, technology model encryption, a parallel execution mode, reference-level SPICE netlist generation and a new 3D graphics viewer, users can shorten the design cycle by more accurately predicting silicon performance.
UMC Enhances 90-nm Manufacturability Using Synopsys' Phase Shift Technology
Synopsys, Inc., a world leader in semiconductor design software, and UMC a world leading semiconductor foundry, today announced that UMC is using Synopsys' alternating aperture phase-shift mask (AA-PSM) technology to enhance manufacturability for its 90-nanometer (nm) process. Manufacturability improvements are obtained through increased lithography resolution, a larger process window, and better performance enabled by the AA-PSM technology. UMC can now deliver the benefits of AA-PSM to those customers developing high-performance and low-power integrated circuits on 90-nm technology.
Intel Builds Static RAM on 65nm Process – Set for Production in 2005
Intel is successfully demonstrating its next-generation 65-nanometer semiconductor process at the same time it is rolling out the industry's first high-volume 90nm production.
Intel expects to ramp its
65nm process in 2005 — once again being first in the industry to produce next-generation microprocessors.
Using this next-generation process, Intel has fabricated fully functional 4-megabit static RAMs (SRAMs) with ultra-small memory cells. Smaller cells mean that processors can have larger caches that improve performance. The
SRAM cells have a solid noise margin down to 0.7 volts, which indicates very robust circuit operation.