That'll be another excuse to add 5p per litre for petrol, mark my words. Anyone know how to safely store drums of petrol safely in your kitchen next to the cooker?

And you wonder why Osama and Co are suddenly gone quiet at the moment...

They are all busy using all those ex-corporate PC's that were sent the the third world to train up and learn how to cause mass mischief over the internet...

next thing the DOHS will classify the PC as a WMD and we'll all be classed as enemys of the state....

though the policys of the Bush administration has made most of Non-US citizens enemys of the US already...

mines the bright orange one... with the big silver ankle and wrist chains ;p

Article: "The flaw in CitectSCADA is related to a lack of proper length-checking that can result in a stack-based buffer overflow. "

Sigh. About the millionth time I read about this type of vulnerability. The saddest part is that a solution for these has been known since the 1960's: Use languages that catch array overflows and also do other strict compile- and runtime checking. The people who design systems where failure is not an option, like avionics or space systems know this and use Ada, which was designed with safety in mind. Several other languages with similar safety properties also exist, but C and C++ are not among them. (CitecSCADA was almost certainly implemented in C or C++, like most embedded systems these days).

Such checking cannot of course eliminate all bugs, but at least an overflow turns into a handleable exception or a crash needing a reboot, instead of potentially allowing malicious code execution. Which do you prefer?

Efficiency concerns? Less of a problem that you might think, especially with today's processors. A statically compiled safe language is anyway faster than Java. Smart compilers can also safely eliminate many of the runtime checks when compiling.

These SCADA systems, although based on standard components, are pretty much bespoke for each implementation. To achieve any real degree of control you'd have to have a lot of inside knowledge about the target.

In practice it would be easier to physically infiltrate the site and get up to mischief.

Mine's the blue overalls with the fake BT logo on...

Filipo and Charles have hit the nail on the head!

Yes, the software should be secure (not really that difficult with this stuff!) and the networks the software is being run on needs to be secure. None of these guys heard of proxies or VPN's? Tiered security with decent authorisation and authentication should cover it...

Hooking these sorts of systems up to the interweb in full view of some monkey intent on playing terrorist or anti-globalisation activist is like hooking a completely un-patched or protected Windows PC to the same interweb. You just wouldn't would you?

Goggles - safety first!

As per others comments ,it shouldnt even be near the internet ,as per tiering

and layered security ...security 101 ffs.

Strange how only Citec ( SCADA) has been mentioned over the last few years in SCADA kb's.

To expose major infrastructure with a web server ( as it does ) to external public subnets is actually breaching the laws in some countries and states. {<>}and any admin or manager who allows this should be fired .

These exploits will continue until we stop using the MS c+ development platform as mentioned in the other posts and utilise secure coding principles and platforms.

This scada package unfortunately only runs on the ms os ,and not nux ,apple etc.