"The security and integrity of Industrial Control Systems (ICS) should be a global concern. The reality is that if these systems were ever vulnerable and reachable via the Internet, they are likely already compromised – simple as that. Not only should these companies patch the system but care should be taken to investigate the systems integrity. Advanced malware can sometimes install itself and fooling the patching software into thinking it has already been patched – like a Jedi mind-trick “These are not the droids you are looking for” manner.
Infiltration of these systems is just one step of the larger picture. These industrial facilities must also make it harder for the adversary to remain hidden as they perform their operations. Raising the cost for your adversary to operate is the critical factor these days as infiltration is almost inevitable. Remember the people attacking these ICS systems are the type of people who do not want to be identified."
Tom Cross, Director of Security Research:
"These are critical vulnerabilities that allow a remote attacker to gain complete control over systems running Yokogawa CENTUM CS3000 by sending just a few packets to the vulnerable system. The availability of functioning exploits in the Metasploit framework means that its easy for attackers to target these vulnerabilities. It is extremely important that operators of Yokogawa CENTUM CS3000 install the available security updates immediately.
Its important to emphasize that the software that controls industrial plant facilities can have serious security vulnerabilities just like any other kind of software. Although we like to think that these systems aren't connected directly to the Internet, it has happened, and often, there are indirect links through back office networks that exist because of the need for the business to monitor its plant operations. Ultimately, its valuable for vulnerabilities like these to be discovered, disclosed, and patched. Identifying and fixing vulnerabilities is part of the process of making these systems more resilient to attack. Frankly, there is much more work to be done in the Industrial Control Systems area before we can have a high degree of confidence that these systems are well protected. "