Software made by a Chinese company and used around the world by chemical, defense, and energy companies contains security holes that attackers could exploit to hack into critical systems.
In an advisory issued yesterday (PDF), the Department of Homeland Defense warned of two vulnerabilities in software made by Beijing-based Sunway ForceControl (Google Translate English version). The Chinese company makes SCADA (supervisory control and data acquisition) software, which is used in computer systems that control and monitor manufacturing plants and equipment used by different industries.
Discovered by security researcher Dillon Beresford of NSS Labs, the security holes could allow cybercriminals to issue a distributed denial-of-service attack or remotely execute arbitrary code on key systems.
Though Sunway's products are mainly used in China, the advisory reports that the company's software is also "deployed in Europe, the Americas, Asia, and Africa" and "across a wide variety of industries including petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, manufacturing, and others."
Upon learning of the security holes, the DHS's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) contacted Sunway as well as China's National Vulnerability Database (CNVD). In response, Sunway issued two patches designed to fix both of the security holes. Though CNVD has validated the patches, neither ICS-CERT nor NSS Labs have so far done so.
The U.S. has in the past warned about the vulnerability of SCADA systems as a result of security holes exploited in several SCADA applications, especially since this software is used by utilities and other companies that manage critical public infrastructure. Many of these companies are also moving their systems away from an environment in which they were isolated from the Internet to one in which they're directly connected to the Internet, another cause for concern.
ICS-CERT advises owners of control system devices to make sure that these devices are protected behind firewalls and isolated from the overall business network. Further, employees who need remote access should use only secure methods, such as virtual private metworks (VPNs).