Chinese Weapon Systems Vulnerable To SCADA Hack

Hackers could potentially gain control of Chinese weapon systems, US Homeland Security has warned

The US Department of Homeland Security (DHS) has warned that Chinese weapon systems are vulnerable to hackers.

The warning came in a DHS advisory written by the DHS Industrial Control Systems Cyber Emergency Response Team. The document warned that software widely used in China to run  weapons systems, utilities and chemical plants has bugs that could allow hackers to damage public infrastructure.

The software is said to be the Sunway ForceControl and pNetPower SCADA/HMI applications, from Beijing-based Sunway ForceControl Technology. This is according to a NSS Labs security researcher, who discovered the flaw.

Control Systems

SCADA stands for Supervisory Control and Data Acquisition, and is used by systems that control, monitor and automate the activities of connected physical systems, such as oil and gas pipeline valves, temperature monitoring and cooling systems, energy grids and traffic lights.

Needless to say, if a hacker were able to access these systems, the potential for damage would be huge.

“Successful exploitation of these vulnerabilities could allow an attacker to perform a remote denial of service or to remotely execute arbitrary code against the ForceControl and pNetPower server applications,” said the DHS advisory. “This action can result in adverse application conditions and ultimately impact the production environment on which the SCADA system is used.”

“Impact to individual organisations depends on many factors that are unique to each organisation. ICS-CERT recommends that organisations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation,” it said.

It seems that the Americans opted to co-operate with their Chinese counterparts after the ICS-CERT “co-ordinated with the researcher, China National Vulnerability Database (CNVD), and Sunway to ensure full remediation of the reported vulnerabilities.”

Apparently Sunway has issued two patches that address both vulnerabilities.

Vulnerable Utilities

The Sunway software is also used to control industrial systems in other countries as well.

Back in early 2009, foreign hackers were able to hack into the US electric grid, after it was discovered they had planted software that could disrupt the system.

And of course the potential vulnerability of industrial control systems was again highlighted by the Stuxnet worm, which infected Iran’s nuclear fuel programme last year.

National Defence

This has led to warning that national infrastructures are ill-prepared to defend themselves against co-ordinated cyber attacks, and some have predicted that future wars could be fought in cyber space.

In February Foreign Secretary William Hague revealed that the UK government had been infected by the Zeus information-stealing Trojan in December. And defence secretary Liam Fox recently said that Britain is under constant attack from hackers, and last year 1,000 potentially serious offensives were blocked.

The European Union recently created its own taskforce to counter the growing threat of cyber attacks. Meanwhile The British government has also acknowledged it has begun work on offensive cyber-weapons to complement its existing defensive capabilities.

This follows the comments from Armed Forces Minister Nick Harvey last November, when he said that the UK must have the ability to launch its own attack against those carrying out cyberwarfare against this country and its infrastructure.