Software widely used in China to help run weapons systems, utilities and chemical plants has bugs that hackers could exploit to damage public infrastructure, according to the US Department of Homeland Security (DHS).
The department issued an advisory on Thursday warning of vulnerabilities in software applications from Beijing-based Sunway ForceControl Technology Co that hackers could exploit to launch attacks on critical infrastructure.
Sunway’s products, widely used in China, are also deployed to a lesser extent in other countries, including the US, DHS Industrial Control Systems Cyber Emergency Response Team said in its advisory.
“These are vulnerabilities that hackers could leverage to cause destruction,” said Dillon Beresford, a researcher with private security firm NSS Labs, who discovered the bugs.
The DHS advisory comes amid a wave of high-profile cyber -attacks on institutions ranging from the IMF to Citigroup Inc and Sony Corp. The attacks focused primarily on stealing data; only in a few instances has critical infrastructure been attacked.
Last year the Stuxnet computer worm surfaced, targeting industrial control systems manufactured by Siemens. Security experts widely believe that the worm was built as part of a state-backed attack on Iran’s nuclear program.
Iran said the worm was used to attack computers at its Bushehr nuclear reactor. There has been widespread speculation that -Stuxnet actually damaged the plant, something Iran denies.
Beresford has worked with Sunway, Chinese authorities and the DHS to fix the bugs he found. Sunway has developed software patches to plug the holes, but it could take customers months to install those patches, Beresford said.
That gives hackers a window of time in which to exploit those vulnerabilities.
“Customers need to be notified and given proper time to patch,” said Beresford, who also discovered security bugs in industrial control management systems from Siemens. The German company addressed those vulnerabilities in an advisory it released last week.
Representatives for Sunway could not immediately be reached for comment.
The Sunway software flaws highlight growing concerns about the safety of supervisory control and data acquisition (SCADA) computer systems that are used to monitor and control processes in a wide variety of facilities, including nuclear power plants, chemical factories, water distribution networks and pharmaceutical plants.
SCADA systems — designed before Internet use became widespread — were not built to withstand Web-based attacks.
Security systems to deal with Web threats have been bolted on rather than incorporated into SCADA systems, leaving holes that hackers can penetrate.
Beresford said that there are other vulnerabilities in SCADA systems that have yet to be documented by security experts and plugged by the manufacturers.
“The point of my putting this information out and getting it into the public domain is so that we can pressure the vendors to actually patch the vulnerabilities instead of sitting on them because these systems are inherently flawed by design,” he said.
ISSUES: Gogoro has been struggling with ballooning losses and was recently embroiled in alleged subsidy fraud, using Chinese-made components instead of locally made parts Gogoro Inc (睿能創意), the nation’s biggest electric scooter maker, yesterday said that its chairman and CEO Horace Luke (陸學森) has resigned amid chronic losses and probes into the company’s alleged involvement in subsidy fraud. The board of directors nominated Reuntex Group (潤泰集團) general counsel Tamon Tseng (曾夢達) as the company’s new chairman, Gogoro said in a statement. Ruentex is Gogoro’s biggest stakeholder. Gogoro Taiwan general manager Henry Chiang (姜家煒) is to serve as acting CEO during the interim period, the statement said. Luke’s departure came as a bombshell yesterday. As a company founder, he has played a key role in pushing for the
China has claimed a breakthrough in developing homegrown chipmaking equipment, an important step in overcoming US sanctions designed to thwart Beijing’s semiconductor goals. State-linked organizations are advised to use a new laser-based immersion lithography machine with a resolution of 65 nanometers or better, the Chinese Ministry of Industry and Information Technology (MIIT) said in an announcement this month. Although the note does not specify the supplier, the spec marks a significant step up from the previous most advanced indigenous equipment — developed by Shanghai Micro Electronics Equipment Group Co (SMEE, 上海微電子) — which stood at about 90 nanometers. MIIT’s claimed advances last
CROSS-STRAIT TENSIONS: The US company could switch orders from TSMC to alternative suppliers, but that would lower chip quality, CEO Jensen Huang said Nvidia Corp CEO Jensen Huang (黃仁勳), whose products have become the hottest commodity in the technology world, on Wednesday said that the scramble for a limited amount of supply has frustrated some customers and raised tensions. “The demand on it is so great, and everyone wants to be first and everyone wants to be most,” he told the audience at a Goldman Sachs Group Inc technology conference in San Francisco. “We probably have more emotional customers today. Deservedly so. It’s tense. We’re trying to do the best we can.” Huang’s company is experiencing strong demand for its latest generation of chips, called
EUROPE ON HOLD: Among a flurry of announcements, Intel said it would postpone new factories in Germany and Poland, but remains committed to its US expansion Intel Corp chief executive officer Pat Gelsinger has landed Amazon.com Inc’s Amazon Web Services (AWS) as a customer for the company’s manufacturing business, potentially bringing work to new plants under construction in the US and boosting his efforts to turn around the embattled chipmaker. Intel and AWS are to coinvest in a custom semiconductor for artificial intelligence computing — what is known as a fabric chip — in a “multiyear, multibillion-dollar framework,” Intel said in a statement on Monday. The work would rely on Intel’s 18A process, an advanced chipmaking technology. Intel shares rose more than 8 percent in late trading after the