Skip to navigation
Latest News

Stuxnet issues rumble on as vulnerabilities remain

passwords

By Stewart Mitchell

Posted on 9 Nov 2012 at 11:30

The fallout from Stuxnet continues to rumble on, with security companies claiming similar flaws in other industrial systems controls and another victim of the original cyber weapon emerging.

Stuxnet has been widely claimed as the first cyberwar weapon following attacks on Iran's nuclear programme believed to have been undertaken by US and Israeli forces.

Yet more than two years after the tool first came to light, the Siemens control software targeted in the attack remains vulnerable, according to vulnerability testing company Positive Technologies.

The company claims the ICS and SCADA software that controls industrial hardware is riddled with problems, and the specific WinCC software attacked in Iran still contains multiple vulnerabilities.

For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together

WinCC is a SCADA (Supervisory Control And Data Acquisition) controller, and despite the problems revealed in Iran many flaws remain. "It's easy to find a vulnerability in WinCC - you can just point at it,” Sergey Gordeychik, Positive Technologies CTO told Computer World after cancelling a technical talk to give Siemens more time to fix newly revealed vulnerabilities.

The comments come as the company revealed figures showing a significant rise in the number of SCADA vulnerabilities since the Iranian attacks.

“The ICS/SCADA systems are present in high-speed trains and subway trains, oil and gas pipelines, nuclear power plants, hydroelectricity plants, electric power and water supply management networks,” the company said.

“It is easy to imagine what may happen in case a system failure in a facility occurs as a result of a hacker attack. The number of such threats is growing all the time."

“During the period from 2005 to early 2010, only 9 vulnerabilities in industrial control systems were discovered; while in 2011, after the detection of the Stuxnet worm, 64 vulnerabilities were discovered. For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together.”

According to Positive Technologies, industrial systems manufacturers are too slow to fix vulnerabilities when they are pointed put, with 20% of potential holes left unfixed for at least a month.

“Most security defects are fixed rather efficiently by the ICS component vendors before they became widely known or within 30 days of uncoordinated disclosure,” the company said. “Approximately every fifth vulnerability was fixed with a significant delay, or was not fixed in certain cases. For instance, Siemens fixed and released patches for 92% of vulnerabilities, while Schneider Electric fixed only 56% of security defects.”

Wider threat

The threat posed by further infection as a result of SCADA attacks has been highlighted after fresh revelations that the malware also infected US oil company Chevron's systems when the Stuxnet malware escaped into the wild in 2010.

“I don’t think the US government even realised how far it had spread,” said Mark Koelmel, general manager of the earth sciences department at Chevron, according to the Wall Street Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished."

Subscribe to PC Pro magazine. We'll give you 3 issues for £1 plus a free gift - click here
User comments

Windows problems

Yet another article that discusses Windows security problems while managing to completely avoid mentioning "Windows" or "Microsoft".

From Wikipedia:
"WinCC is written for the Microsoft Windows operating system. WinCC uses Microsoft SQL Server for logging and comes with a VBScript and ANSI C application programming interface"

And it's insecure? Gee, really? Who'd have thought?

By BrownieBoy6 on 11 Nov 2012

Leave a comment

You need to Login or Register to comment.

(optional)

advertisement

Most Commented News Stories
Latest Blog Posts Subscribe to our RSS Feeds
Latest ReviewsSubscribe to our RSS Feeds
Latest Real World Computing

advertisement

Sponsored Links
 
SEARCH
Loading
WEB ID
SIGN UP

Your email:

Your password:

remember me

advertisement


Hitwise Top 10 Website 2010
 
 

PCPro-Computing in the Real World Printed from www.pcpro.co.uk

Register to receive our regular email newsletter at http://www.pcpro.co.uk/registration.

The newsletter contains links to our latest PC news, product reviews, features and how-to guides, plus special offers and competitions.