Tuesday, October 30, 2012

For Energy and other Critical Infrastructure Companies, Supply Chain Security Trap Door Remains Wide Open

Another week, another awful revelation related to security weaknesses in widely (and I do mean WIDELY) installed control system products. Last week we THIS and that was revealed, now this week we pile on with an issue that impacts seems well nigh insolvable.

From Ars Technica:
"The CoDeSys software tool, which is used in industrial control systems sold by 261 different manufacturers, contains functionality that allows people to remotely issue powerful system commands," Reid Wightman, a researcher with security firm ioActive, told Ars .... "There is absolutely no authentication needed to perform this privileged command," Wightman said.  Of the two specific programmable logic controllers (PLCs) Wightman has tested, both allowed him to issue commands that halted the devices' process control. He estimated there are thousands of other models that also ship with CoDeSys installed, and he said most of them are probably vulnerable to the same types of attacks.
Perhaps we'll learn something in coming weeks that will reveal the scope isn't as big as it seems. But until then, I'll leave you with a comment from one of the Ars readers that get's to the heart of the supply chain security challenge:
If it sounds too stupid for words BUT it would make life easier for the developers or admin, then it's sure to have happened. 
Sad, but I'm afraid, true. HERE's the whole article for you.