The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The US Department of Homeland Security said an attacker with "low skill" would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software.
"We went from zero to total compromise," said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software.
Critical path
First released to run on Windows 98, the Centum CS 3000 software is used to monitor and control machinery in many large industrial installations. "If you are able to exploit the vulnerabilities we have identified you get control of the Human Interface Station," said Mr Diaz. "That's where the operator sits or stands and monitors operational details. If you have control of that station as an attacker you have the same level of control as someone standing on the plant floor wearing a security badge," he said.
Rapid7's work prompted the Computer Emergency Response Team of the US Department of Homeland Security that deals with critical infrastructure to issue an alert about the vulnerabilities. In its alert, ICS-Cert said companies using Centum CS 3000 should evaluate whether they were at risk and apply a patch if it was needed. "An attacker with a low skill would be able to exploit these vulnerabilities," it said in its alert.
The Rapid7 researchers alerted Yokogawa about their findings before publicising their work to give the company time to produce a patch that can close the loopholes. "Not all Centum CS 3000 users need to apply this patch immediately," said Yokogawa in a statement. "This depends on how their systems are connected to external networks and on the security measures that are in place."
Yokogawa said it was in the process of contacting customers who might be vulnerable and urging those who were at risk to apply its patch. Computer Emergency Response Teams (Cert) in several other nations have helped to spread the word about the findings. The UK's newly formed Cert declined to comment on the issue. Read more.
PDF
