Stuxnet issues rumble on as vulnerabilities remain
By Stewart Mitchell
Posted on 9 Nov 2012 at 11:30
The fallout from Stuxnet continues to rumble on, with security companies claiming similar flaws in other industrial systems controls and another victim of the original cyber weapon emerging.
Stuxnet has been widely claimed as the first cyberwar weapon following attacks on Iran's nuclear programme believed to have been undertaken by US and Israeli forces.
Yet more than two years after the tool first came to light, the Siemens control software targeted in the attack remains vulnerable, according to vulnerability testing company Positive Technologies.
The company claims the ICS and SCADA software that controls industrial hardware is riddled with problems, and the specific WinCC software attacked in Iran still contains multiple vulnerabilities.
For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together
WinCC is a SCADA (Supervisory Control And Data Acquisition) controller, and despite the problems revealed in Iran many flaws remain. "It's easy to find a vulnerability in WinCC - you can just point at it,” Sergey Gordeychik, Positive Technologies CTO told Computer World after cancelling a technical talk to give Siemens more time to fix newly revealed vulnerabilities.
The comments come as the company revealed figures showing a significant rise in the number of SCADA vulnerabilities since the Iranian attacks.
“The ICS/SCADA systems are present in high-speed trains and subway trains, oil and gas pipelines, nuclear power plants, hydroelectricity plants, electric power and water supply management networks,” the company said.
“It is easy to imagine what may happen in case a system failure in a facility occurs as a result of a hacker attack. The number of such threats is growing all the time."
“During the period from 2005 to early 2010, only 9 vulnerabilities in industrial control systems were discovered; while in 2011, after the detection of the Stuxnet worm, 64 vulnerabilities were discovered. For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together.”
According to Positive Technologies, industrial systems manufacturers are too slow to fix vulnerabilities when they are pointed put, with 20% of potential holes left unfixed for at least a month.
“Most security defects are fixed rather efficiently by the ICS component vendors before they became widely known or within 30 days of uncoordinated disclosure,” the company said. “Approximately every fifth vulnerability was fixed with a significant delay, or was not fixed in certain cases. For instance, Siemens fixed and released patches for 92% of vulnerabilities, while Schneider Electric fixed only 56% of security defects.”
The threat posed by further infection as a result of SCADA attacks has been highlighted after fresh revelations that the malware also infected US oil company Chevron's systems when the Stuxnet malware escaped into the wild in 2010.
“I don’t think the US government even realised how far it had spread,” said Mark Koelmel, general manager of the earth sciences department at Chevron, according to the Wall Street Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished."
Yet another article that discusses Windows security problems while managing to completely avoid mentioning "Windows" or "Microsoft".
"WinCC is written for the Microsoft Windows operating system. WinCC uses Microsoft SQL Server for logging and comes with a VBScript and ANSI C application programming interface"
And it's insecure? Gee, really? Who'd have thought?
By BrownieBoy6 on 11 Nov 2012
- Google Glass: mugger bait, pub problem and other lessons learned from two dangerous weeks
- Twitter, please don't fiddle with my feed
- How Satya Nadella can get some pay-raise karma
- Windows 10: a step back to go forward
- Michael Dell: Cloud infrastructure is the roads, bridges and highways of the 21st century
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords