A system-management software program used in Western nuclear, oil and gas, and water sectors is vulnerable to attacks in which hackers could shut down or hijack entire plants and utility networks, the Associated Press reports.
The vulnerability in Australia-based Citect's supervisory control and data acquisition (SCADA) software, CitectSCADA, was discovered five months ago by Core Security Technologies of Boston. Citect issued a patch for the security hole last week, according to the report.
Core Security has been working with Computer Emergency Response Teams (CERTs) from Argentina, Australia, and the United States to ensure all CitectSCADA users are notified of the vulnerability. It is unknown, however, whether all users have installed the new patch.
The critical vulnerability, known as a "buffer overflow," allows an attacker to commandeer the software by overflowing a computer with data.
"It's not a very elaborate problem," Ivan Arce, Core Security's chief technology officer, told the AP . "If we found this thing — and this was not that hard — it would be easy for someone else to do it."
The vulnerability exposes CitectSCADA users to two threats, Core Security said in a statement. It "could allow a remote un-authenticated attacker to force an abnormal termination of the vulnerable software (Denial of Service) or to execute arbitrary code on vulnerable systems to gain complete control of the software."
This could have disastrous consequences if the hack was performed by an individual or group with ill intent, says the AP.
Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment, or cause a nuclear power plant to malfunction by attacking the utility's controls.
That possibility has grown in recent years as more of those systems are connected to the Internet.
Arce said most utility operators expose their networks to the Internet through wireless and wired corporate data networks. Citect urged organizations running its SCADA software to isolate it from the Internet or use protective technologies, such as firewalls, to block illicit access to the system.
Nevertheless, "vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner,” Core Securities said in a statement .