Perilocity: SCADA

April 05, 2007

SCADA Has Holes!

In addition to foreign manufacturers, very long (decade or more) upgrade times, deployments in odd locations that pretty much require network access by non-net-savvy technicians, etc., SCADA also has another bug:

Neutralbit identified the vulnerability in NETxAutomation NETxEIB OPC (OLE for Process Control) Server. OPC is a Microsoft Windows standard for easily writing GUI applications for SCADA. It's used for interconnecting process control applications running on Microsoft platforms. OPC servers are often used in control systems to consolidate field and network device information.
Neutralbit reports that the flaw is caused by improper validation of server handles, which could be exploited by an attacker with physical or remote access to the OPC interface to crash an affected application or potentially compromise a vulnerable server. Neutralbit has also recently published five vulnerabilities having to do with OPC.
— Hole Found in Protocol Handling Vital National Infrastructure, physorg.com, 25 March 2007

Neutralbit also claims this is the first remotely accessible SCADA vulnerability, which the smallest amount of googling shows is not true (I leave that as an exercise for the reader). However, they probably have found a real vulnerability.

Continue reading "SCADA Has Holes!" »

April 05, 2007 in Government, Internet risk management strategies, IT Securiiy, SCADA | Permalink | Comments (1) | TrackBack (0)

October 30, 2006

Water Cracked

This one is new to me:

A foreign hacker who penetrated security at a Harrisburg, Pa., water filtering plant is under investigation by the FBI for planting malicious software capable of affecting the plant's water treatment operations, ABC News has learned.
The hacker tried to covertly use the computer system as its own distribution system for e-mails or pirated software, officials told ABC.
"The concern was high because it is a computer that controls an important infrastructure system, and if, for some reason, it caused it to fail, it would have disrupted service," said Special Agent Jerri Williams of the FBI's Philadelphia field office. Hackers Penetrate Water System Computers Richard Esposito, October 30, 2006 3:15 PM

The report says this isn't the first such water supply cracking incident.

Continue reading "Water Cracked" »

October 30, 2006 in SCADA | Permalink | Comments (0) | TrackBack (0)

Risk Reading

Chris Anderson: The Long Tail: Why the Future of Business Is Selling Less of More
Long Tail > Fat Head; Participation > Broadcast; Niche > Big.
John S. Quarterman: Risk Management Solutions for Sarbanes-Oxley Section 404 IT Compliance
Beyond SOX. Beyond the firewall, into the Internet, where nobody controls everything, and security must become risk management
Jared Diamond: Collapse: How Societies Choose to Fail or Succeed
The author examines societies from the smallest (Tikopia) to the largest (China) and why they have succeeded or failed, where failure has included warfare, poverty, depopulation, and complete extinction. He thought he could do this purely through examining how societies damaged their environments, but discovered he also had to consider climate change, hostile neighbors, trading partners, and reactions of the society to all of those, including re-evaluating how the society's basic suppositions affect survival in changed conditions.
Peter L. Bernstein: Against the Gods: The Remarkable Story of Risk
A highly readable backgrounder on the evolution of risk management, from probabilities to joint stock companies.

Perilocity

Beyond Internet security to risk management

April 05, 2007

SCADA Has Holes!

October 30, 2006

Water Cracked

Search

About

Recent Posts

Categories

Recent Comments

Archives

Risk Reading

Perilocity

Beyond Internet security to risk management

April 05, 2007

SCADA Has Holes!

October 30, 2006

Water Cracked

Search

About

Recent Posts

Categories

Recent Comments

Archives

Risk Reading

Blogroll