Exclusive: China software bug makes infrastructure vulnerable

NEW YORK Thu Jun 16, 2011 10:28pm EDT

A Chinese national flag flies outside the Xinhua Gate of the Zhongnanhai leadership compound, the residence of China's top leaders, with World Trade Centre Tower III, a 330-meter-tall skyscraper, the tallest in Beijing in the background November 11, 2010. REUTERS/Petar Kujundzic

A Chinese national flag flies outside the Xinhua Gate of the Zhongnanhai leadership compound, the residence of China's top leaders, with World Trade Centre Tower III, a 330-meter-tall skyscraper, the tallest in Beijing in the background November 11, 2010.

Credit: Reuters/Petar Kujundzic

Related Topics

NEW YORK (Reuters) - Software widely used in China to help run weapons systems, utilities and chemical plants has bugs that hackers could exploit to damage public infrastructure, according to the Department of Homeland Security.

The department issued an advisory on Thursday warning of vulnerabilities in software applications from Beijing-based Sunway ForceControl Technology Co that hackers could exploit to launch attacks on critical infrastructure.

Sunway's products, widely used in China, are also deployed to a lesser extent in other countries including the United States, DHS's Industrial Control Systems Cyber Emergency Response Team said in its advisory.

"These are vulnerabilities that hackers could leverage to cause destruction," said Dillon Beresford, a researcher with private security firm NSS Labs, who discovered the bugs.

The DHS advisory comes amid a wave of high-profile cyberattacks on institutions ranging from the International Monetary Fund to Citigroup Inc and Sony Corp. The attacks focused primarily on stealing data; only in a few instances has critical infrastructure been attacked.

Last year the Stuxnet computer worm surfaced, targeting industrial control systems manufactured by Siemens. Security experts widely believe that the worm was built as part of a state-backed attack on Iran's nuclear program.

Iran said the worm was used to attack computers at its Bushehr nuclear reactor. There has been widespread speculation that Stuxnet actually damaged the plant, something Iran denies.


Beresford has worked with Sunway, Chinese authorities and the DHS to fix the bugs he found. Sunway has developed software patches to plug the holes, but it could take customers months to install those patches, Beresford said.

That gives hackers a window of time in which to exploit those vulnerabilities.

"Customers need to be notified and given proper time to patch," said Beresford, who also discovered security bugs in industrial control management systems from Siemens. The German company addressed those vulnerabilities in an advisory it released last week.

Representatives for Sunway could not immediately be reached for comment.

The Sunway software flaws highlight growing concerns about the safety of supervisory control and data acquisition (SCADA) computer systems that are used to monitor and control processes in a wide variety of facilities, including nuclear power plants, chemical factories, water distribution networks and pharmaceutical plants.

SCADA systems -- designed before Internet use became widespread -- were not built to withstand Web-based attacks.

Security systems to deal with Web threats have been bolted on rather than incorporated into SCADA systems, leaving holes that hackers can penetrate.

Beresford said that there are other vulnerabilities in SCADA systems that have yet to be documented by security experts and plugged by the manufacturers.

"The point of my putting this information out and getting it into the public domain is so that we can pressure the vendors to actually patch the vulnerabilities instead of sitting on them because these systems are inherently flawed by design," he said.

(Reporting by Jim Finkle; Editing by Tiffany Wu, Phil Berlowitz)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (6)
breezinthru wrote:
Another reason for putting this information out there is to remind China that people who live in glass houses shouldn’t throw stones.

Jun 17, 2011 8:29am EDT  --  Report as abuse
emm305 wrote:
When are we going to learn that computers are not safe?

When are we going to learn that our local, state and federal governments, our electrical grid, our nuclear plants do not need to be operating on the internet?

Computers are not necessary for us to function. They only make us more vulnerable.

Jun 17, 2011 9:38am EDT  --  Report as abuse
GA_Chris wrote:
No offense, but shouldn’t the people doing this focus on securing US systems? As far as i know, many US based institutions have been successfully infiltrated over the past few months…

Jun 17, 2011 9:44am EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.

Track China's Leaders