Stuxnet issues rumble on as vulnerabilities remain
By Stewart Mitchell
Posted on 9 Nov 2012 at 11:30
The fallout from Stuxnet continues to rumble on, with security companies claiming similar flaws in other industrial systems controls and another victim of the original cyber weapon emerging.
Stuxnet has been widely claimed as the first cyberwar weapon following attacks on Iran's nuclear programme believed to have been undertaken by US and Israeli forces.
Yet more than two years after the tool first came to light, the Siemens control software targeted in the attack remains vulnerable, according to vulnerability testing company Positive Technologies.
The company claims the ICS and SCADA software that controls industrial hardware is riddled with problems, and the specific WinCC software attacked in Iran still contains multiple vulnerabilities.
For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together
WinCC is a SCADA (Supervisory Control And Data Acquisition) controller, and despite the problems revealed in Iran many flaws remain. "It's easy to find a vulnerability in WinCC - you can just point at it,” Sergey Gordeychik, Positive Technologies CTO told Computer World after cancelling a technical talk to give Siemens more time to fix newly revealed vulnerabilities.
The comments come as the company revealed figures showing a significant rise in the number of SCADA vulnerabilities since the Iranian attacks.
“The ICS/SCADA systems are present in high-speed trains and subway trains, oil and gas pipelines, nuclear power plants, hydroelectricity plants, electric power and water supply management networks,” the company said.
“It is easy to imagine what may happen in case a system failure in a facility occurs as a result of a hacker attack. The number of such threats is growing all the time."
“During the period from 2005 to early 2010, only 9 vulnerabilities in industrial control systems were discovered; while in 2011, after the detection of the Stuxnet worm, 64 vulnerabilities were discovered. For the first 8 months of 2012, 98 new vulnerabilities were reported — more than during the previous years put together.”
According to Positive Technologies, industrial systems manufacturers are too slow to fix vulnerabilities when they are pointed put, with 20% of potential holes left unfixed for at least a month.
“Most security defects are fixed rather efficiently by the ICS component vendors before they became widely known or within 30 days of uncoordinated disclosure,” the company said. “Approximately every fifth vulnerability was fixed with a significant delay, or was not fixed in certain cases. For instance, Siemens fixed and released patches for 92% of vulnerabilities, while Schneider Electric fixed only 56% of security defects.”
The threat posed by further infection as a result of SCADA attacks has been highlighted after fresh revelations that the malware also infected US oil company Chevron's systems when the Stuxnet malware escaped into the wild in 2010.
“I don’t think the US government even realised how far it had spread,” said Mark Koelmel, general manager of the earth sciences department at Chevron, according to the Wall Street Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished."
Is your business a social business? For helpful info and tips visit our hub.
Yet another article that discusses Windows security problems while managing to completely avoid mentioning "Windows" or "Microsoft".
"WinCC is written for the Microsoft Windows operating system. WinCC uses Microsoft SQL Server for logging and comes with a VBScript and ANSI C application programming interface"
And it's insecure? Gee, really? Who'd have thought?
By BrownieBoy6 on 11 Nov 2012
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Cut out the broadband jargon? What jargon?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords