Discovery prompts a global drive to fix issues in highly deployed control system.
Major bugs in the software used by power plants, oil rigs and refineries could make them highly vulnerable to remote hacking attacks, prompting a global drive to fix issues in highly deployed control system, a new report revealed.
Security researchers at Rapid7 discovered the flaws, which if exploited, could allow hackers remote access to control systems at the facilities.
Despite claims that an attacker with ‘low skill’ could exploit the bugs, the vulnerable software is being used by about 7,600 plants across the globe, according to the US Department of Homeland Security (DHS).
As part of research, the Rapid7 team discovered several bugs in Yokogawa’s Centum CS 3000 software, which was originally designed to run with Windows 98, making it rather oitdated.
"We went from zero to total compromise," researcher Juan Vazquez said of the findings.
"If you are able to exploit the vulnerabilities we have identified you get control of the Human Interface Station," Diaz added.
"That’s where the operator sits or stands and monitors operational details.
"If you have control of that station as an attacker you have the same level of control as someone standing on the plant floor wearing a security badge."
Following the report, the US DHS’ Computer Emergency Response Team (ICS-Cert) issued an alert concerning the vulnerabilities, and warned Centum CS 3000 users to assess whether they were exposed and implement a patch if required.
However, Yokogawa issued a patch notifying that not all Centum CS 3000 users need to apply this patch immediately.
"This depends on how their systems are connected to external networks and on the security measures that are in place."
UK organisations that are involved with power plants and other critical parts of nation’s infrastructure have been alerted about the risk, with the BBC saying that such alerts are believed to be relatively common, with many companies already having policies and practices in place to handle updates and changes.