Software glitch leaves utilities open to attack

Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.

Experts with Boston’s Core Security Technologies, who discovered the deficiency and described it to the Associated Press before they issued a security advisory, said there’s no evidence anyone else found or exploited the flaw.

Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.

But the vulnerability could have counterparts in other supervisory control and data acquisition, or SCADA, systems. And it’s not clear whether all Citect clients have installed the patch.

SCADA systems remotely manage computers that control machinery, including water supply valves, industrial baking equipment and security systems at nuclear power plants.

Customers that use CitectSCADA include natural gas pipelines in Chile, major copper and diamond mines in Australia and Botswana, a large pharmaceutical plant in Germany, and water treatment plants in Louisiana and North Carolina.

For an attack involving this vulnerability that Core Security revealed Wednesday to occur, the target network would have to be connected to the Internet. That goes against industry policy but can happen when companies have lax security measures, such as connecting control systems’ computers and computers with Internet access to the same routers.

A rogue employee could also access the system internally.

Security experts say the finding highlights the possibility that hackers could cut the power to entire cities, poison a water supply by disrupting water treatment equipment or cause a nuclear power plant to malfunction by attacking the utility’s controls.

That possibility has grown in recent years as more of those systems are connected to the Internet.

The Citect vulnerability is of a common type. Called a buffer overflow, it allows a hacker to gain control of a program by sending a computer too much data.

“It’s not a very elaborate problem,” said Ivan Arce, Core Security’s chief technology officer. “If we found this thing - and this was not that hard - it would be easy for someone else to do it.”