funsec mailing list archives
Re: SCADA Systems Vulnerabilities Exposed
From: "Daniel H. Renner" <dan () losangelescomputerhelp com>
Date: Thu, 10 May 2007 10:11:00 -0700
Back in early 2000 my neighbor worked for the testing shop of the Burbank Power Department.
He complained to me about the switch from VMS to NT systems running the SCADA system, and how slow and clumsy the new system was.
And in that same time period we saw errors in an NT system sinking a US Navy ship, so why would it be surprising that the new SCADA system is any better off?
Sincerely, Daniel H. Renner President Los Angeles Computerhelp A division of Computerhelp, Inc. 818-352-8700 http://losangelescomputerhelp.com funsec-request () linuxbox org wrote: Date: Thu, 10 May 2007 05:12:29 GMT From: "Fergie" <fergdawg () netzero net> Subject: [funsec] SCADA Systems Vulnerabilities Exposed To: funsec () linuxbox org Message-ID: <20070509.221239.725.1316340 () webmail18 lax untd com> Content-Type: text/plain -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Via the InfoWorld "Zero Day Security" Blog. [snip] Ironically, as I was busy piecing-together Tuesday's story on infrastructure systems security trends, I missed the fact that researchers were reporting what are believed to be the first remotely-exploitable vulnerabilities in so-called Supervisory Control And Data Acquisition (SCADA) systems. In essence, the research forwards tangible proof of remotely exploitable flaws in products used to manage facilities such as oil and gas refineries, electrical power grids and nuclear power plants. According to researchers with industrial security specialists Neutralbit, based in Barcelona, Spain, the company has uncovered five different problems in the OPC protocol -- the OLE (Object Linking and Embedding) for Process Control industry standard -- which is used to help foster communication of plant data between control devices made by different manufacturers. The vulnerabilities, present in a number of systems, could allow for a range of different performance-sapping or denial-of-service type attacks on affected SCADA operations, Neutralbit reported. [snip] More: http://weblog.infoworld.com/zeroday/archives/2007/05/infrastructure.html Note [1]: Neutralbit "specializes" in security services, so face value. However, if this is indeed an issue, kudos to them for researching it, and finding the vulnerabilities. Note [2]: Would _you_ use a an OLE (Microsoft) technology for critical infrastructure? - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.6.1 (Build 1012) wj8DBQFGQqm4q1pz9mNUZTMRAogsAKDE5jlUgl98NMHpkIVIE5Q5qdQpEACff4It WPMzkwN3kEpKyRP/yeVrA6Q= =Z4aB -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Attachment:
dan.vcf
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- SCADA Systems Vulnerabilities Exposed Fergie (May 09)
- <Possible follow-ups>
- Re: SCADA Systems Vulnerabilities Exposed Fergie (May 09)
- Re: SCADA Systems Vulnerabilities Exposed Brian Loe (May 10)
- Re: SCADA Systems Vulnerabilities Exposed Daniel H. Renner (May 10)