The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently issued an alert [PDF file] warning of a security flaw in RuggedCom's Rugged Operating System (ROS).
"The vulnerability with proof-of-concept code was publicly disclosed at a security conference last week by Justin Clarke, a security researcher at Cylance Inc," writes Computerworld's Jaikumar Vijayan.
"Clarke said that the Siemens-owned technology maker used a single software key to decode encrypted traffic that flows across its network, and has discovered a way to extract the key, which could then be used to send malware or credentials to the critical systems," writes CNET News' Zack Whittaker.
"Back in April, Clarke publicly disclosed a different ROS vulnerability after notifying the vendor of the problem in February through US-CERT," writes Computerworld's Lucian Constantin. "That vulnerability consisted of a hard-coded 'factory' account that provided backdoor access to RuggedCom devices running ROS. The company addressed the issue by releasing firmware updates in May and June."
"Some researchers say ICS and SCADA companies such as Siemens and RuggedCom aren't doing enough to make their products safe for the companies or governments that rely on them," writes Ars Technica's Dan Goodin. "The critics cite real-world attacks from malware such as Stuxnet and Flame, which burrowed into supposedly secured networks by exploiting a variety of vulnerabilities."