Expert: public utilities may be at risk for hacking

Researchers with security firm Core Security Technologies are warning that flaws within the software that manages the nation's public utility systems may be vulnerable to incursion via the Internet.

The problem exists in software called CitectSCADA, which is used to control industrial processes. SCADA is short for "Supervisory Control and Data Acquisition." The flaw has only been patched for a week, although Core Security notified Citect five months ago.

CitectSCADA software is used by a wide variety of companies, including many public utilities. In addition, Citect's clients also span across the aerospace, food, and manufacturing sectors.

As Core Security alleged, an attacker would be able to execute code by taking advantage of the flaw, which is due to a buffer overflow issue. This could result in loss of control of whatever system the software is administrating, Core Security said in an advisory.

There is the outside chance that this vulnerability may exist on other platforms, the firm added.

Two months ago, a power company hired a security engineering team led by Ira Winkler to break into its SCADA system. The team accomplished this using perhaps the simplest trick in the book: It sent e-mails to power company employees with fake links promising to take them to reports about their benefits plan. Those links instead launched a password-harvesting virus. Winkler's team used the stolen passwords to gain access literally within minutes.

While SCADA software makers advise their customers to keep the systems separate from the Internet, not all have taken steps to assure it is completely cut off. In addition, it would also just take a disgruntled employee to perform the hack internally as well, without even needing the Internet.

"Vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner," the firm's chief technical officer Ivan Arce said.

Arce's team was behind the detection last September of a serious hole in AOL's Instant Messenger that it demonstrated could lead to Web browser hijacks, and also the discovery last February of a security hole in VMware that would enable a stealth attack under the guise of a virtual machine, where malicious users could generate and run executable code practically at will.

Curiously, security engineer Winkler doesn't appear to hold any particular affection for security engineer Arce or his team. Back in May 2007, Winkler called Core Security to task for running ads in major publications stating it had discovered macros in Microsoft Office files were vulnerable, accusing the company of scare-mongering.

"Anyone with a clue knows that the macro abilities embedded within those file types has been proven to enable attacks for over a decade," Winkler wrote on his blog at the time. "The fact that a security company feels compelled to have this as the main teaser line either demonstrates that they have little faith in the intelligence of the readers (although they may be right) and is an insult to our intelligence, or they don't have a clue."

But Winkler and Arce do appear to agree upon the potential severity of the SCADA vulnerability. It could be said that the SCADA problem could pose a national security risk if not remedied, based on a read of Core Security's advisory. The CIA warned public utilities earlier this year that attacks on public utilities launched through the Internet have already occurred in other countries, one resulting in a power outage that affected multiple cities.

In fact, Homeland Security officials have already run several simulated events to prepare for an eventuality where public utilities were compromised through the Internet. In the end however, calls for better security within SCADA software are nothing new.

The Federal Energy Regulatory Commission in January approved eight mandatory security standards specifically aimed at the electricity industry in order to protect systems from Internet-based attacks.

Scott M. Fulton, III contributed to this report.