Researchers have found a vulnerability in the energy grid with Nova-Wind Turbine human-machine (HMI) interface, which would allow remote code execution. An advisory from ICS-CERT explains that a successful exploitation of this vulnerability can cause a loss of power for all attached systems because it allows the ID to be retrieved from the browser and be changed.
Tim Erlin, Director of IT Security and Risk Strategy at Tripwire commented on the expects these types of reports on industrial control systems will only increase and more attention needs to be focused on securing the grid.
Tim Erlin, Director of IT Security and Risk Strategy at Tripwire
“We’ve seen an upward trend in vulnerability disclosures for industrial control systems, especially in the energy space. Increased scrutiny from the security industry, in combination with the introduction of more networked systems, has uncovered inherent flaws in design, implementation and code. This trend isn’t likely to stop or slow down, as the vendors in the space seem to be playing catch up with more mainstream technology players around security.
Ultimately, the consumers of these products, the energy generation, transmission and distribution companies, will pay the price for unpatched vulnerabilities. Critical infrastructure is a target, and we need to do more to protect it.”
Tim Erlin is a Director of Product Management at Tripwire, and is responsible for the Suite360 product line including Vulnerability Management, Configuration Auditing, and Policy Compliance. Previously, in his nearly 10 year tenure at nCircle, he has also held the positions of Senior Sales Engineer and QA Engineer. Tim’s career in information technology began with project management, customer service, as well as systems and network administration. Tim is a member of ISSA, and frequently hosts corporate webinars on various topics, including regulatory compliance.[/su_box]
VP of Product Management and Strategy
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.