ICS-CERT VTScada Security Announcement (ICSA-16-159-01)

Trihedral President Glenn Wadden describes the risk and what the company has done to protect customers.

June 7, 2016 – ICS-CERT (Industrial Control Systems – Cyber Emergency Response Team) contacted Trihedral regarding a security vulnerability they had identified in the VTScada WAP Server, an optional component that provided basic monitoring and control from older cellular phones.

Who is at risk?

“Exploiting this issue is neither easy nor obvious and is only possible where customers have purchased the optional Alarm Notification license and explicitly enabled the WAP port,” says Glenn Wadden, President of Trihedral and Chief Software Architect for VTScada. “The default installation of VTScada is not vulnerable to this exploit.” Customers limiting their WAP access to internal networks or VPN links are also not at risk.

What’s the risk?

“Hackers could access files on WAP-enabled servers and potentially crash those servers,” continues Wadden.

What has been done?

“The detailed technical information provided by ICS-CERT has helped us to formulate an immediate response,” says Wadden. “We have notified the eight VTScada users (and their integrators) who fall into this category. To our knowledge, this vulnerability has not been used to attack any of them. We have also completely eliminated the WAP code from VTScada in version 11.2 which is now available to customers with up-to-date support contracts.”

A better approach to remote connectivity.

In 2013, the VTScada Mobile Internet Client (MIC) superseded the WAP Server as the standard VTScada interface for mobile devices. In VTScada 11.2, the MIC has been joined by the VTScada Anywhere Client which provides a full operator experience on almost any modern PC, smartphone, tablet, or MAC via HTML5-compliant browsers. No Java required.

What to do if this applies to your system.

If you are currently using the VTScada WAP server for remote connectivity, the easiest way to protect your system is to simply disable the WAP port. Contact VTScada support if you need assistance with this. No further action is required; however we always recommend that our customers keep their support contracts up-to-date so they can upgrade to the latest version and take advantage of the latest operational and security features.

Keeping the public informed.

“Once we notified ICS-CERT that we had addressed the issue and contacted those affected, we were invited to review their announcement before publication,” says Wadden.

You can read that statement here: https://ics-cert.us-cert.gov/advisories/ICSA-16-159-01

Working together to keep customers safe.

Wadden describes the ongoing challenge of SCADA security. “No software is future-proof and new attack vectors emerge, even for systems without internet access. Our permanent development team conducts regular code reviews and uses the latest hacking strategies to find weaknesses. We at Trihedral thank the ICS-CERT team for their hard work in keeping infrastructure safe.”

About VTScada:

Instantly Intuitive – VTScada removes frustration from every stage of the SCADA/HMI software lifecycle; from pricing and licensing, to development and support. Our unique architecture integrates all core SCADA components into one easy-to-use package so you can start creating fully-featured monitoring and control systems in minutes.

For More Information: