Citect, a designer of software used by manufacturing plants and other industrial facilities, has removed an advisory that played down a vulnerability in one of its popular pieces of software. Citect's move followed last week's release of proof-of-concept code that exploited a vulnerability in CitectSCADA, which is used to manage …
This is an improvement over the previous SCADA article
Dan cited a specific implementation of SCADA software, which makes more sense to me than SCADA itself having vulnerabilities. I think that the previous article's gone through some editing, too.
It's still not clear to me whether this vulnerability is exploitable by folks on the street as such, or by insiders only. This depends on whether there are external access points to the system, I suppose. Pretty easy to mitigate those. Again, I'd be more worried about insiders than external h4x0rs.
Slow news day? I'm no huge Citect fan, but seriously? 'Company pulls advice for some better advice?'. Come on. Anyone would think you've got it in for them!
SCADA is normally private
SCADA systems normally run on private networks using VPNs etc to cross the wilds. That makes most proof of concept vulns theoretical rather than practical.
In the old days (1980s, when I dabbled in SCADA) they already had tiered security. People gathering stats for bean counting or system analysis did not have the rights to twiddle knobs. This was more often than not controlled by tiered physical security (only computers in the control room could twiddle) as well as log ons.
Of course an internal hacker could do damage, but then he could also go and throw a physical spanner in the works too.