Cognisant of the risks of exposing such critical infrastructure to the “naughty lads of the Internet,” pretty-well every user of SCADA systems makes very sure that they are not exposed.  Normally this involves an air-gap: the industrial systems are simply not connected to anything else.  More recently, with an increasing interconnectedness, users are finding that their industrial systems are connected to their business management systems – but (obviously) still remaining behind the corporate firewalls.

In the oft-republished Associated Press article (here for instance) regarding the buffer-overflow in CitectSCADA, a naïve person might think that the sky was about to fall and the nearest water treatment plant was about to fail.

Nothing could be farther from the truth.

Yes, a vulnerability was discovered by Core Security Technologies and reported in detail to Citect on February 6th 2008.  After analysis of the issue, Citect responded to Core that, in effect, they could not determine how the vulnerability might affect their customers as the software was specifically designed and implemented to be well-separated from the internet, and as far as Citect knew, that was how it was being implemented.  Citect added that it would be addressed in the next release of the software.

Specifically, the only way a user of the software could be vulnerable is to have active ODBC interfaces and to be directly connected to the internet without any security.  Seems to me that for computers in such a situation (ignoring the ODBC factor), SCADA vulnerabilities would be the least of their problems!

Read on to the next page...