China syndromeDHS warns of critical vulnerabilities in Chinese software

Published 23 June 2011

Last week DHS warned that control software widely used in China’s weapons systems, utilities, and chemical plants has dangerous weaknesses that leave it open to hackers; the warning, issued by the DHS Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), stems from critical vulnerabilities found in SCADA software developed by Beijing’s Sunway ForceControl Technology

Last week DHS warned that control software widely used in China’s weapons systems, utilities, and chemical plants has dangerous weaknesses that leave it open to hackers.

The warning, issued by the DHS Industrial Control Systems Cyber Emergency Response Team (ISC-CERT), stems from critical vulnerabilities found in SCADA software developed by Beijing’s Sunway ForceControl Technology.

SCADA (Supervisory Control and Data Acquisition) softwareis used to control complex automated processes in nearly every industry including pharmaceutical manufacturing, electrical grids, oil pipelines, and nuclear power plants.

DHS is particularly concerned about Sunway’s ForceControl and pNetPower SCADA/HMI applications.

 

“Successful exploitation of these vulnerabilities could allow an attacker to perform a remote denial of service or to remotely execute arbitrary code against the ForceControl and pNetPower server applications,” said the DHS advisory. “This action can result in adverse application conditions and ultimately impact the production environment on which the SCADA system is used.”

The advisory added, “Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.”

 

The Stuxnet virus has put nations on high alert against potential vulnerabilities in SCADA software, as the virus targeted the SCADA control system controlling centrifuges at an Iranian nuclear enrichment facility causing them to spin out of controland damaging the facility.

DHS researchers worked with Sunway and the China National Vulnerability Database (CNVB) to address the vulnerabilities and Sunway has issued to software patches that correct the problem.