A Chinese software company is alleged to have placed security holes in its products sold to chemical defense and energy companies in Europe, the Americas, Asia, and Africa. Beijing-based Sunway ForceControl makes SCADA (Supervisory control and data acquisition) software which is used in computer systems that control and monitor manufacturing plants and equipment used by different industries.
Department of Homeland Defense warned of two vulnerabilities in the Chinese company software, in an advisory issued on Friday. The security holes discovered by researcher Dillon Beresford of NSS Labs, can potentially let the hackers issue a DDoS(distributed denial-of-service) attack or remotely execute arbitrary code on key systems.
The software sold worldwide is used in industries including petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, manufacturing, and others.
Sunway issued two patches designed to fix both of the security holes, after DHS's ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) contacted Sunway and China's National Vulnerability Database (CNVD).
In the past US has warned about the vulnerability of SCADA systems as a result of security holes exploited in several SCADA applications, especially since this software is critical in managing public infrastructure.
ICS-CERT advised owners of control system devices to make sure that these devices are protected behind firewalls and isolated from the overall business network. Employees are asked to use virtual private networks (VPN) for remote access.