AREVA corporate logoCritical power infrastructure is once again under threat of attack due to vulnerabilities discovered in a popular brand of SCADA equipment that is used to monitor and control power distribution. According to a string of CVE [1] notices cited in a February 2009 notice circulated by US-CERT, multiple vulnerabilities were found in the e-Terra Habitat system by the French energy products company AREVA. Habitat is a core component of its Energy Management System (EMS), the centerpiece of which is a proprietary database that stores real-time SCADA data.

The flaws highlighted by US-CERT include a buffer overflow, several denial of service risks and the possibility of privilege escalation. These are serious enough, but once again incident response teams are faced with a challenge in finding information about remediation for the vulnerability or even a reliable point of contact at the vendor for obtaining further information.

According to the US-CERT circular, the flaws affect version 5.7 (and earlier) of its Habitat software, and AREVA has released a security patch that addresses the flaws. It is worth noting that the bugs are serious, allowing a knowledgable attacker to crash monitoring systems and, in the most serious instance, to execute arbitrary commands remotely, without the need for access credentials. For this reason, US-CERT highlighted the importance of network monitoring and of ensuring isolation of networks containing SCADA control and measurement components. Unfortunately, even the more security conscious of infrastructure operators is more and more likely to have planned or unplanned points of connection to public networks.

It is unfortunate that SCADA equipment vendors are often less than transparent about the risks in their products, for commercial reasons.  And because of the unique nature of the SCADA industry, there is far less independent and non-government-funded scrutiny of these network components. In this line of business, there seems to be an unhealthy degree of what appears to be security through obscurity.

Notes:
[1] CVE is the Common Vulnerabilities and Exposures database

Tagged with:
 

Leave a Reply



Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...