Keep up with the news by installing RT’s extension for . Never miss a story with this clean and simple app that delivers the latest headlines to you.

 

Power Plant Plight: US utilities’ soft underbelly for hackers

Published time: October 17, 2013 20:55
Edited time: October 18, 2013 11:33
The Vermont Yankee nuclear power plant in Vernon (Reuters/Brian Snyder)

The Vermont Yankee nuclear power plant in Vernon (Reuters/Brian Snyder)

New research revealed this week shows that many of the nation’s vital infrastructure systems are more vulnerable to cyberattacks than previously expected.

In fact, researchers Chris Sistrunk and Adam Crain have discovered 25 different security system weaknesses that could potentially permit hackers to sabotage or crash servers that control water systems and electric substations.

Throughout the course of their research, Sistrunk and Crain discovered that the products of more than 20 vendors had significant security vulnerabilities. Hackers could, for example, crash a power station’s master server by guiding it into an infinite loop, or cause power outages by remotely injecting their own make-shift code into a server.

Every substation is controlled by the master, which is controlled by the operator,” Sistrunk told Wired, which broke the story. “If you have control of the master, you have control of the whole system, and you can turn on and off power at will.”

These security holes have generally been found in serial and networking devices used to communicate between servers and substations. Since most efforts have gone into preventing cyberattacks via IP networks, the possibility of a security breach through serial communication products has generally been deemed as less of a risk. The truth of the matter, as Crain tells it, is that hacking into a power system via serial communication devices may be easier than going through the internet.

Part of the reason why is that substations generally have very lax security; they are rarely manned and often surrounded only by a fence and monitored by a security camera. If physical access isn't possible, hackers could crack into a utility's wireless radio network and use that as a means for delivery.

“If someone tries to breach the control center through the Internet, they have to bypass layers of firewalls,” Crain said. “But someone could go out to a remote substation that has very little physical security and get on the network and take out hundreds of substations potentially. And they don’t necessarily have to get into the substation either.”

Of the more than two dozen vulnerabilities discovered, vendors have released security patches for nine of them. Bafflingly, however, many utilities have yet to install them because they underestimate the potential risk of attack. The fact that the security standards established by theNorth American Electric Reliability Corporation focus solely on IP communication also makes the problem worse.

In an attempt to raise awareness about the issue, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued multiple reports on the security weaknesses. Additionally, Crain and Sistrunk will speak on their research during Florida’s S4 security conference in January.


Comments (4)

 

Joerg 18.10.2013 16:18

One big reason to be worry about this, is the ICS-CERT knows who the virus on Iran's-Siemens-based instruments worked ad the that virus multiplied it through the system an cursed a lot of damage over there.

 

Paul Eduard 18.10.2013 15:23

Serial communication hacks are a preferred way to get in.

 

Agnes Maria 18.10.2013 14:58

When people build, they really do not think maliciously. So, most telephone systems are generous. The other side of that is that a generous system is great to explore, so the early "phreakers" ; (is what telephone hackers are called) became quite good and encouraged by the high amount of access. When people were designing systems they did not anticipate digital thechnology, and for one hacker to survey the telephone system is easy with a modern digital machine.

View all comments (4)
Add comment

Authorization required for adding comments

Register or

Name

Password

Show password

Register

or Register

Request a new password

Send

or Register

To complete a registration check
your Email:

OK

or Register

A password has been sent to your email address

Edit profile

X

Name

New password

Retype new password

Current password

Save

Cancel

Follow us

Follow us