All the latest UK technology news, reviews and analysis


UK critical infrastructure at risk from SCADA security flaw

16 Jan 2014
Sellafield nuclear power plant in northern England

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has called for businesses involved in critical infrastructure to be extra vigilant as it investigates a potential critical flaw in a commonly used SCADA system.

ICS-CERT issued the warning in a security advisory after security researcher Luigi Auriemma uncovered a vulnerability that left many of the world's SCADA systems at risk.

"ICS-CERT is aware of a public report of a buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Ecava IntegraXor, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product," said the advisory.

"IntegraXor is currently used in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia. ICS-CERT recommends that users take defensive measures to minimise the risk of exploitation of these vulnerabilities."

Specifically the security team recommended that SCADA users "minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet. Locate control system networks and devices behind firewalls, and isolate them from the business network."

Trend Micro security expert Rik Ferguson told V3 that the vulnerability listed in the advisory is particularly dangerous as it could theoretically be exploited by hackers to launch a variety of attacks, including denial of service.

"According to the researcher, and also to the proof of concept that he has released, this vulnerability results most often in a denial of service condition, which should be concerning enough in itself for the kinds of production environments in which Ecava IntegraXor operates," he said.

"However, Auriemma has also said that in certain conditions the vulnerability can lead to arbitrary execution of code, which could have far more serious ramifications, opening the door to further compromise." 

ICS-CERT confirmed it has contacted Ecava, the company that makes the system, and is working to identify and fix the flaw.

Attacks on critical infrastructure systems have been a growing problem facing businesses and governments. The danger was showcased in 2011 when the notorious Stuxnet malware was discovered targeting Iranian nuclear plants.

The Stuxnet malware subsequently spread and has been discovered in numerous locations, including a Russian nuclear power plant. Security experts have since warned that it is only a matter of time before the Stuxnet malware hits the UK.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?
65%
8%
18%
9%

Popular Threads

Powered by Disqus
V3 Security Summit

V3 Security Summit Day 2: Botnet, skills and BYOD intelligence incoming

Keep V3 bookmarked for news updates on all the key security concerns and topics facing businesses

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Project Manager. Asset Management

Project Manager. Asset Management Asset Management...

Senior Data and Insight Analyst - SQL

Senior Data and Insight Analyst, Financial Sector - SQL...

Database Developer (SQL Server, T-SQL) - Award winning company

Database Developer (SQL Server, T-SQL) - Award winning...

Business Analyst - (Financial Services + Compliance)

Business Analyst - (Financial Services + Compliance...
To send to more than one email address, simply separate each address with a comma.