Critical Flaw Left Utilities Vulnerable to Attack for 5 Months

A vulnerability found in utility control software is raising serious questions over municipal security. The issue, revealed Wednesday morning, could have let attackers take control of water treatment plants, natural gas lines and potentially even nuclear power plant equipment.

Security firm Core Security Technologies discovered the problem and says it notified the system manufacturer five months ago -- yet the flaw was not fixed until last week.

Control Concern

The systems in question, created by Citect, allow remote management of machinery at various plants.

Water treatment centers in Louisiana and North Carolina both use the technology, as do natural gas facilities in Chile and pharmaceutical manufacturing centers in Germany. The bug, Core Security says, could have handed hackers control of any of those systems -- theoretically giving them the power to stop an entire city's water treatment or knock out power to tens of thousands.

"The problem is a classic example of buffer overflow from the '90s," Core Security CTO Ivan Arce told TechNewsWorld. "It's not a very sophisticated thing, [which] makes it surprising."

Engineers pinpointed the problem during a routine analysis. It didn't take them long to determine just how serious the vulnerability was.

"You send a couple of malicious packets to an open port, then the service will crash and it will be quite evident," Arce noted.

Investigators do not believe anyone else took advantage of the loophole or even realized it existed.

Delayed Response

The flaw was first found in January, but Core Security says it was not corrected until just a few days ago.

"This could have been done better -- especially on such a critical software," Arce told TechNewsWorld. "It's not somebody's FTP server. It's software that is critical and should be addressed in a more timely manner."

The prolonged response spurs plenty of apprehension over homeland security and how earnestly problems are being pursued.

"Time is not on our side," said Bill Smullen, director of national security studies at the Maxwell School of Syracuse University. "I think we need to be a little bit quicker on the draw than letting that amount of time go by."

Lessons Learned

The discovery highlights the broad nature of vulnerabilities in our Internet-enabled age. One result of this week's revelation may be learning how to better deal with such issues in the future.

"The idea of an Internet threat is something that is going to grow -- not diminish," Smullen told TechNewsWorld.

"Any time you identify a problem, you need to alert anybody and everybody who has a role in correcting it so they can intercede. We need to move faster and do things better," he said.

Core Security hopes for a similar lesson. Its engineers can help find the problems, Arce said, but the next steps are out of their hands.

"Every software is vulnerable," he noted. "Every single piece of software is man-made -- and if it's man-made, it's prone to errors. The important thing is not just how many bugs are out there, but also how prepared are the different organizations ... to react in a timely and precise manner."

Making the world's cyberspace as secure as its airspace may be a daunting challenge -- but in today's technology-driven world, it's one Smullen says must be addressed.

"Threats will continue to exist -- they will be never-ending. There's not going to be any such thing as a perfect world, and we just need to work together to not necessarily totally eliminate -- but to certainly reduce -- the vulnerability," he said.