AusCERT sends advisory for SCADA holes

Summary:The Australian Computer Emergency Response Team (AusCERT) has issued a warning for 34 zero-day security holes affecting four Supervisory Control and Data Acquisition (SCADA) systems.

The Australian Computer Emergency Response Team (AusCERT) has issued a warning for 34 zero-day security holes affecting four Supervisory Control and Data Acquisition (SCADA) systems.

Trap

(Trap image by Judit Klien, CC BY-ND 2.0)

The unpatched vulnerabilities were released this week by security researcher Luigi Auriemma on a Bugtraq email list, and they affect SCADA systems from Siemens, Iconics, DATAC and 7-Technologies.

The AusCERT notification offered general remedial advice, urging subscribers to segregate SCADA networks and restrict virtual private network access.

AusCERT senior information security analyst Zane Jarvis said the threats are "old-school exploits".

"The hacks are pretty basic, old-school attacks," Jarvis said. "The application of the vulnerability is enormous."

Experts say it is impossible to determine what industries may be affected by the vulnerabilities.

Auriemma told The Register that he published the vulnerabilities before a fix was available, under a process known colloquially as "full disclosure", because of vendor disregard.

Full disclosure is controversial because it alerts criminals to attack avenues and places users at risk. Typically, security researchers notify affected vendors and allow them to fix the problem before disclosing vulnerabilities.

Jarvis said that in his experience SCADA vendors have proven attentive and willing to fix vulnerabilities, but that SCADA systems often encounter problems when they are patched.

He said disclosure is a "personal choice".

Topics: Security, AUSCERT

About

Darren Pauli has been writing about technology for almost five years, he covers a gamut of news with a special focus on security, keeping readers informed about the world of cyber criminals and the safety measures needed to thwart them.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.