March 24, 2011, 11:53 AM — An independent security researcher has issued warnings through the federal U.S. Computer Emergency Response Readiness Team that utilities, traffic-management systems and other organizations in the U.S. are vulnerable to the same type of attacks that bedeviled Iran's nuclear development program in 2009 and 2010.
According to researcher Luigi Auriemma, who posted the results on his Web site and on Bugtraq, four leading SCADA (supervisory control and data acquisition) systems contain security flaws, bugs and other vulnerabilities that can be exploited by remote users connecting through the Internet.
The standout of the four products is, Siemens' Tecnomatix FactoryLink – an obsolete pharmaceutical and metals manufacturing application Siemen has announced it will replace by 2012 with replacing with a newer application called WinCC.
Oddly, WinCC is the application the Stuxnet virus targeted when it attacked the Iranian nuclear facilities.
Other companies with apps that appear vulnerable are the oil/gas/pharmaceutical industry application Genesis32 and Genesis64 from Iconics, utility automation developer 7-Technologies and oil/utility/transport software developer Datac's RealFlex.
Unlike flaws in most other types of software, SCADA vulnerabilities carry the risk that exploits could have direct, disastrous impact in the real world, rather than just the virtual one.
The Stuxnet virus, for example, attacked SCADA applications running on Windows computers, changing the way they interacted with thousands of high-speed centrifuges used to process nuclear materials to ensure the centrifuges were spinning at the wrong speeds, making them less effective.
The result was to hinder Iran's nuclear development effort. If the effect were a little more drastic, the result could have been to destroy the centrifuges, expose workers to radioactive material or cause other catastrophic problems in the fuel-refining process.