A new serious vulnerability notice was announced yesterday. Core Security announced a DOS (denial-of-service) vulnerability in the Wonderware Suitelink software suite. This vulnerability allows hackers to remotely cause the software to terminate. Suitelink is a SCADA (supervisory control and data acquisition) software that controls the process automation in major facilities such as power stations.
DHS/US-CERT has also made a National Cyber Alert on this vulnerability.
What the consequenses of such vulnerability can be? In the worst case, crashing a control software can slow down or stop the plant automation operations that may lead into shutdown or even uncontrolled instability of the process.
Obviously, all (I hope) systems have failback and backup procedures for such situations. No need to go get emergency food provisions because of this.
This type of vulnerabilities are not very uncommon with any technology products. There are new findings daily.
In this case, Wonderware seems to have done the corrective actions very well.
In the construction industry, a special attention to protect against technology risks are vital. Technology helps us a great deal, but there must be proactive planning for such situations.
Just image the consequeces when the elevators of a skyscraper totally malfuntion, or glass facade breaks due to a design mistake. What if a power plant gets out of control because of a software malfunction? Holes in the technology can also open opportunities for acts of terror towards any building or infrastructure.
This is why the information security must be assessed during the whole construction project and also after the provisioning of the final build. If there is no clear method for managing the information, the securing is almost an impossible task.
My quick advise on how to take care of the information security:
- Know where all the information is
- Know who has access to what information
- Use advanced access control methods, encryption and authentication mechanisms
- Record the use of information
- After the project, keep the same level of security
- Do not destruct the building information data when the project is finished
- Have someone to take responsibility over information security
Filed under: Construction Data Technology, Construction Design, Construction Process Improvement | Tagged: building security, construction, Core Security, DHS, DOS, information security, National Cyber Alert, power plants, security, US-CERT, vulnerability, Wonderware |