Flaw in Chinese Software Leaves Critical Infrastructure Open to Attack 

Vulnerabilities in industrial control systems software from China were brought to light last week by the U.S. Department of Homeland Security's Industrial Control Systems Cyber-Emergency Response Team (ICS-CERT). In a June 16 security advisory, the department warned that SCADA (supervisory control and data acquisition) systems from Beijing-based Sunway ForceControl Technology Co. had bugs that could be remotely exploited by hackers looking to launch attacks on critical infrastructure.

The news, first covered by Reuters, is particularly worrisome coming on the heels of last year's Stuxnet computer worm, which exploited vulnerabilities in Siemens' SCADA software to target nuclear facilities in Iran.

While Sunway's products are most popular in China, they are deployed throughout the world by such vital industries as petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water and manufacturing.

A researcher with private security firm NSS Labs, Dillon Beresford, uncovered the bugs, which would allow denial-of-service attacks and remote code execution in Sunway's ForceControl 6.1 WebServer and its pNetPower Version 6 software.

"These are vulnerabilities that hackers could leverage to cause destruction," Beresford told Reuters.

Designed in a pre-Internet era, SCADA systems are particularly vulnerable to Web-based attacks. Since there's no built-in authentication process, IT departments must be diligent in implementing their own security protocols.

Sunway has already created patches for the holes, but Beresford notes it may take months for companies to install them.

"The point of my putting this information out and getting it into the public domain is so that we can pressure the vendors to actually patch the vulnerabilities instead of sitting on them because these systems are inherently flawed by design," the security researcher explained to Reuters.