US warns China software risk to public infrastructure

Homeland Security department warns applications from Chinese firm have flaws hackers can exploit to launch attacks on critical infrastructure systems, reports Reuters.
Written by Jamie Yap, Contributor

The U.S. Department of Homeland Security (DHS) has issued a warning after a security researcher discovered software from a Chinese company contained bugs which hackers could exploit to launch attacks on critical infrastructure including utilities, Reuters reported.

The newswire wrote Friday that the DHS' Industrial Control Systems Cyber Emergency Response Team cautioned organizations against products from Beijing-based Sunway ForceControl Technology, which are said to be widely used in China to run infrastructure systems and to a lesser extent in other countries including the United States.

The vulnerabilities were discovered by Dillon Beresford, a researcher with private security firm NSS Labs, who told Reuters that hackers could leverage the flaws to "cause destruction".

Beresford acknowledged that Sunway had come up with software patches to plug the holes but pointed out that it could take customers months to install the patches, which would present hackers a "window of time in which to exploit those vulnerabilities".

The software flaws in Sunway, whose representatives could not be reached for comment at the time of reporting, point to growing concerns on the safety of supervisory control and data acquisition (SCADA) systems that are used to monitor and manage processes in industrial facilities such as nuclear power plants and water distribution networks, Reuters said.

It added that SCADA computer systems were designed before Internet use became widespread and are not built to withstand Web-based attacks. As a result, any Web security tools are "bolted on" rather than incorporated into the systems, leaving gaps for hackers to infiltrate.

Beresford told Reuters that other vulnerabilities in SCADA systems have yet to be documented and plugged by manufacturers.

"The point of my putting this information out and getting it into the public domain is so that we can pressure the vendors to actually patch the vulnerabilities instead of sitting on them because these systems are inherently flawed by design," he said.

Last May, Beresford openly expressed dismay that a planned conference to discuss SCADA security flaws he earlier discovered in Siemens' industrial control system products was cancelled at the request of U.S. cybersecurity officials and Siemens representatives.

Last year, critical infrastructure threats hogged headlines amid reports of increasing Stuxnet infections. At that time, security experts were concerned about the magnitude and maliciousness of the computer worm, which was initially written to target SCADA systems running Siemens' WinCC software.

There was also speculation that Stuxnet was created to sabotage an Iranian nuclear plant, which the country acknowledged was infected but denied that serious damage was caused.

The IT security landscape most recently has been abuzz with prolific data breaches and hack attacks on numerous public and private organizations, including the International Monetary Fund (IMF), U.S. Senate, weapons maker Lockheed Martin, Citigroup, Sony, RSA and Epilson.

Editorial standards