The computer systems that control vital industrial machinery in nuclear power plants, water treatment facilities and many other factories are vulnerable to deadly sabotage by hackers with even moderate skills, security researchers say.
Dillon Beresford, who works for security firm NSS Labs, showed at a security conference in Las Vegas how he had successfully hacked into special computer systems that are made by Siemens and other companies and are used in thousands of industrial plants.
The Siemens equipment that Mr. Beresford hacked, called Industrial Control Systems or ICS, is the same product targeted by Stuxnet, the sophisticated computer worm discovered last year to have crippled Iran’s nuclear program.
Stuxnet reprogrammed the computer-controlled centrifuges used to enrich uranium so that they spun out of control and destroyed themselves.
What Mr. Beresford’s work shows is “you don’t need Stuxnet to do real damage” to industrial plants, Vikram Phatak, chief technology officer of NSS Labs, told The Washington Times.
Joe Weiss, a veteran consultant on ICS security for several industries, said the key issue was that Mr. Beresford was able to hack the equipment even with no experience with ICS systems, a small budget and limited time.
“You don’t have to be a nation state” to hack ICS systems, Mr. Weiss said. “The game has fundamentally changed.”
Mr. Beresford, who devised the hacking technique over 2½ months in his bedroom, found a “back door” coded into the Siemens ICS system and several other security weaknesses. These vulnerabilities could allow a hacker with access to the computer network at the plant to shut down or even damage the machinery that the system controls, Mr. Phatak said.
“These systems were never designed with security in mind,” said a senior Homeland Security cybersecurity official, speaking on the condition of anonymity because of department ground rules.
“Traditionally, these networks were not connected” to the public Internet, the official said.
However, in recent years, demands for greater productivity prompted more and more companies to connect their industrial networks to other company networks linked to the Internet.
Mr. Weiss said that in more than a dozen vulnerability assessments he had completed for clients, he found in every case “at least one remote access point connecting an ICS system to the ‘outside world’ [his clients] didn’t know existed.”
A spokesman for Siemens stressed that the company has worked for months with NSS Labs, Homeland Security and their clients to fix the vulnerabilities.
He noted that one of the company’s computer-security specialists, Thomas Brandstetter, joined Mr. Beresford onstage for his presentation earlier this month at the Black Hat Security Conference in Las Vegas.
Last month, the Homeland Security Department issued a bulletin to critical infrastructure owners warning that the loose-knit Internet hacker collective called Anonymous had threatened attacks on U.S. and Canadian oil and gas companies.
The bulletin stated that the skill level associated with Anonymous attacks to date - like those involving the penetration of Web and email servers of state and local law enforcement - was low. The bulletin said it was on a par with the skill level of “script kiddies” - young, untrained hackers.
Yet hackers with more rudimentary skills can quickly exploit security flaws like those identified by Mr. Beresford. “Once the vulnerabilities make their way into open source, that lowers the [skill] bar down to a ‘script kiddie’ level,” said the Homeland Security official.
Mr. Weiss said the exact level of skill required to hack an ICS system would depend on the setup at the facility and the kind of attack the hackers wanted to carry out.
“If you just want to stop the facility, that’s one thing,” he said. “If you want to destroy the machinery [as Stuxnet did], that’s harder.”
